02-07-2019 01:47 AM
Hello experts
I have two hubs at HQ and have 6 spokes. 5 spokes working fine with but one spoke is having problem with Tunnels.
Issue: Tunnels are active few hours and then offline fore few hours !!!
What could be the reason ?
Thanks in advance
02-07-2019 02:14 AM
post the configs (hubs and the spoke)
02-07-2019 02:25 AM
Here you go..
HUB:
crypto isakmp key BEJ56SHA50DMVPN address 106.120.64.62 no-xauth
!
interface Tunnel5656
bandwidth 40000
ip address 10.13.198.4 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication HA18BJ56
ip nhrp map multicast dynamic
ip nhrp network-id 4
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 195.243.205.104
tunnel mode gre multipoint
tunnel key 4
tunnel protection ipsec profile test_vpn_profile_aes
!
interface GigabitEthernet0/0
description *** Internet Flex1 ***
ip address 195.243.205.105 255.255.255.224 secondary
ip address 195.243.205.104 255.255.255.224
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no cdp enable
service-policy output CITRIX-20MB
!
ip route 106.120.64.62 255.255.255.255 195.243.205.99 name Beijing_Tunnel5656
Spoke:
crypto keyring ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BEJ56SHA50DMVPN
!
interface Tunnel5656
bandwidth 20000
ip address 10.13.198.56 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.198.4 195.243.205.104
ip nhrp map multicast 195.243.205.104
ip nhrp map 10.13.198.5 212.185.41.196
ip nhrp map multicast 212.185.41.196
ip nhrp network-id 4
ip nhrp holdtime 300
ip nhrp nhs 10.13.198.4 priority 1 cluster 4
ip nhrp nhs 10.13.198.5 priority 2 cluster 4
ip nhrp nhs cluster 4 max-connections 2
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 4
tunnel vrf ISP1
tunnel protection ipsec profile vpn_profile_hasel_aes_2 shared
!
interface GigabitEthernet0/0
description *** ISP#1 CT 10Mbps ***
vrf forwarding ISP1
ip address 106.120.64.62 255.255.255.252
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no cdp enable
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 106.120.64.61
Thanks
02-07-2019 03:43 AM
Hello,
are all spokes configured in the same way ? Is the actual physical link dropping as well, or just the tunnel ?
02-07-2019 11:50 PM
yes all spoke configured in same way. All are working file except one spoke
physical link is active all the time, only the tunnel is doping.
Thanks
02-11-2019 07:08 AM
I don't see any EIGRP routing config on the Spoke tunnel. Is that a typo error or an omission?
02-11-2019 06:02 AM
anyone have an idea what can be the issue ?
02-11-2019 07:26 AM
They are asking if you can provide the hub and spoke EIGRP configuration. When the tunnels are up for a few hours, do the EIGRP neighbors form?
02-13-2019 04:28 AM
yes when tunnels are up and running then i can see them in eigrp neighbor list.
Thanks
02-11-2019 07:01 AM - edited 02-11-2019 07:03 AM
Hello
Looks like you have eigrp applied on the hub but the on the spoke you have a static default within in a vrf pushing everything out of the physical interface of the DMVPN tunnel which shouldnt be the case.
Also the physical interface on the spoke is hardcorded to 100mbs but the CIR of that connected physical interface is stating its 10mps circuit.
What are the interface statistics for the physical interface on the spoke?
Check the isakmp/ipsec lifetimes are correct between hub/spoke.
spoke
sh interface gig0/0
sh ip interface gig0/0
sh crypto ipsec security-assoc lifetime
show crypto ipsec sa peer 10.13.198.4
show crypto ipsec sa peer 10.13.198.5
show crypto isakmp sa detail
02-11-2019 09:46 PM
Thanks .
Info: at the moment both tunnel to HUB are active from last 7 hours.
here are the output as you requested:
Thanks
02-14-2019 10:35 PM
At the moment, tunnels are not up and run the debug cry isa error...
here is the result from Spoke:
Thanks
02-14-2019 11:04 PM
compare isakmp policy on the hubs and the spoke.
Do you have any differences between in the isakmp policy on the spoke and other working spokes?
02-14-2019 11:07 PM
its same on all spokes and hub:
https://community.cisco.com/t5/routing/ike-phase1-issue/m-p/3802518
Thanks
02-16-2019 01:19 PM
It's clearly obvious that there's a mismatch in your Phase 1 parameters between Hub and Spoke. In the link you provided for another post you created, you have multiple crypto configs, but the output for show crypto isakmp policy on the Hub only shows policy 10, which uses 3DES and is different from the Spoke, which uses AES.
Can you run a debug crypto isakmp on the Hub also and post. Also post the entire crypto configs for Hub and Spoke.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: