DMVPN in IKE State

ezuladam · ‎02-19-2018

Dear All,

I am currently having problem on my DMVPN with OSPF configuration as one of my spoke router C1941 is currently in IKE state. At this moment, only 4 spokes connected to Hubs using the almost configuration.

My questions as per below :

1) May I know is there limited spokes only can connect if use routing DMVPN with OSPF ?

2) Why my DMVPN in IKE state? Is there anything with the Crypto?

SPOKE ROUTER

#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel98, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 ***.***.***.*** 10.10.253.1 IKE 1w5d S

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
<**Destination WAN IP***> <***Source WAN IP***> MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

#sh run int tu98
Building configuration...

Current configuration : 470 bytes
!
interface Tunnel98
bandwidth 1000
ip address 10.10.253.25 255.255.255.0
ip mtu 1400
ip nhrp authentication ***_****
ip nhrp map 10.10.253.1 ***.***.***.***
ip nhrp network-id 100001
ip nhrp nhs 10.10.253.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf mtu-ignore
tunnel source GigabitEthernet0/0
tunnel destination *** *** *** ***
tunnel key 100001
tunnel protection ipsec profile *************_pf
end

pigallo · ‎02-20-2018

Hello.

You should apply a configuration of another spoke router that works for ospf/Crypto setup.

From a first look there are several errors on your template:

You are not mapping multicast service to NBMA address for NHRP protocol.

you are ignoring ospf mtu check which is not good for on production environment.

you configured ospf network type as point to multipoint while your tunnel GRE mode is point to point. This makes no much sense to me honestly.

Troubleshoot DMVPN from the base. Test connectivity/routing to NBMA addresses and then analyze the crypto setup with that of the hub. Finally check the IGP setup.

ezuladam · ‎02-20-2018

Hi Pigallo,

Thanks for your response. I forgot to unshut my other dmvpn tunnel. It should be point to multipoint, am I right? I also has removed the command " ip ospf mtu-ignore" as per instructed by you. I am still checking on this part "mapping multicast service to NBMA address for NHRP protocol."

#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel98, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.*.*.* 10.10.253.1 IKE 2w0d S

Interface: Tunnel120, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.*.*.* 10.10.247.1 IKE 00:01:30 S

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.*.*.* 211.*.*.* MM_NO_STATE 0 ACTIVE
103.*.*.* 211.*.*.* MM_NO_STATE 0 ACTIVE (deleted)
103.228.*.* 211.*.*.* MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

#sh run int tu98
Building configuration...

Current configuration : 450 bytes
!
interface Tunnel98
bandwidth 1000
ip address 10.10.253.25 255.255.255.0
ip mtu 1400
ip nhrp authentication ***_****
ip nhrp map 10.10.253.1 103.228.*.*
ip nhrp network-id 100001
ip nhrp nhs 10.10.253.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
tunnel source GigabitEthernet0/0
tunnel destination 103.228.*.*
tunnel key 100001
tunnel protection ipsec profile ***_******_pf
end

====================================================
ONE OF OTHER SPOKE THAT CAN FORMED DMVPN
===================================================

#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel88, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.*.*.* 10.10.247.1 UP 1w1d S

Interface: Tunnel98, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.228.*.* 10.10.253.1 UP 1w4d S

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103..*.* 175.*.*.* QM_IDLE 1023 ACTIVE
103.228.*.* 175.*.*.* QM_IDLE 1024 ACTIVE

interface Tunnel98
ip address 10.10.253.9 255.255.255.0
ip mtu 1400
ip nhrp authentication ***_****
ip nhrp map 10.10.253.1 103.228.*.*
ip nhrp network-id 100001
ip nhrp nhs 10.10.253.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
tunnel source GigabitEthernet0/0
tunnel destination 103.228.*.*
tunnel key 100001
tunnel protection ipsec profile ****_*****_pf
end

pigallo · ‎02-21-2018

@ezuladam wrote:
Hi Pigallo,

Thanks for your response. I forgot to unshut my other dmvpn tunnel. It should be point to multipoint, am I right?

So if you simply forgot to unshut the remote tunnel endpoint that's okay if it's working now.

About your question, you should know if your design require p2p or p2m. It's related to which DMVPN phase you want to implement. Normally phase 3 uses p2m network type but it can use broadcast as well. You should share more about your design to choose the better setup.

Georg Pauwen · ‎02-21-2018

Hello,

on a side note, you could be hitting the bug below. Try and configure:

set security-association lifetime kilobytes disable

on the affected spoke...

Bug Details:

DMVPN Spoke stuck in IKE state after heavy traffic
CSCtq39602
Description
Symptom:
DMVPN Tunnel is down with IPSEC configured. The show dmvpn from Spoke shows the state is IKE.
Conditions:
After heavy traffic was pumping from DMVPN Hub to Spoke for some time, from a few minutes to a couple of hours.
Workaround:
Configure ''set security-association lifetime kilobytes disable'' to disable volume based rekeying will reduce the problem.

Also, post the config of the hub...