Here you go..

HUB:

crypto isakmp key BEJ56SHA50DMVPN address 106.120.64.62 no-xauth
!
interface Tunnel5656
bandwidth 40000
ip address 10.13.198.4 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication HA18BJ56
ip nhrp map multicast dynamic
ip nhrp network-id 4
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 195.243.205.104
tunnel mode gre multipoint
tunnel key 4
tunnel protection ipsec profile test_vpn_profile_aes
!
interface GigabitEthernet0/0
description *** Internet Flex1 ***
ip address 195.243.205.105 255.255.255.224 secondary
ip address 195.243.205.104 255.255.255.224
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no cdp enable
service-policy output CITRIX-20MB
!
ip route 106.120.64.62 255.255.255.255 195.243.205.99 name Beijing_Tunnel5656

Spoke:

crypto keyring ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BEJ56SHA50DMVPN
!
interface Tunnel5656
bandwidth 20000
ip address 10.13.198.56 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.198.4 195.243.205.104
ip nhrp map multicast 195.243.205.104
ip nhrp map 10.13.198.5 212.185.41.196
ip nhrp map multicast 212.185.41.196
ip nhrp network-id 4
ip nhrp holdtime 300
ip nhrp nhs 10.13.198.4 priority 1 cluster 4
ip nhrp nhs 10.13.198.5 priority 2 cluster 4
ip nhrp nhs cluster 4 max-connections 2
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 4
tunnel vrf ISP1
tunnel protection ipsec profile vpn_profile_hasel_aes_2 shared
!
interface GigabitEthernet0/0
description *** ISP#1 CT 10Mbps ***
vrf forwarding ISP1
ip address 106.120.64.62 255.255.255.252
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no cdp enable
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 106.120.64.61

Thanks

Hello,

are all spokes configured in the same way ? Is the actual physical link dropping as well, or just the tunnel ?

yes all spoke configured in same way. All are working file except one spoke

physical link is active all the time, only the tunnel is doping.

Thanks

I don't see any EIGRP routing config on the Spoke tunnel. Is that a typo error or an omission?

They are asking if you can provide the hub and spoke EIGRP configuration. When the tunnels are up for a few hours, do the EIGRP neighbors form?

yes when tunnels are up and running then i can see them in eigrp neighbor list.

Thanks

Thanks .

Info: at the moment both tunnel to HUB are active from last 7 hours.

here are the output as you requested:

SPOKE1#sh interface gig0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is d48c.b5ea.fa10 (bia d48c.b5ea.fa10)
Description: *** ISP#1 CT 10Mbps ***
Internet address is 106.120.64.62/30
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 9/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:02, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 3914000 bits/sec, 429 packets/sec
5 minute output rate 560000 bits/sec, 261 packets/sec
36320848 packets input, 123369565 bytes, 0 no buffer
Received 257889 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 34023 multicast, 0 pause input
21861547 packets output, 2206387594 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
34023 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
SPOKE1#

SPOKE1#sh ip interface gig0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 106.120.64.62/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is internet
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
VPN Routing/Forwarding "ISP1"
Downstream VPN Routing/Forwarding ""
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Check
Output features: Post-Input-Flexible-NetFlow
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled

SPOKE1#sh crypto ipsec security-assoc lifetime
Kilobyte Volume Rekey has been disabled.
Security association lifetime:3600 seconds

SPOKE1#show crypto ipsec sa peer 10.13.198.4
SPOKE1#
SPOKE1#show crypto ipsec sa peer 10.13.198.5
SPOKE1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1118 221.123.160.154 218.104.50.122 ACTIVE aes sha psk 1 09:04:36
Engine-id:Conn-id = SW:118

1115 106.120.64.62 123.172.16.170 ACTIVE aes sha psk 1 09:03:18
Engine-id:Conn-id = SW:115

1114 221.123.160.154 123.138.200.2 ACTIVE aes sha psk 1 09:03:14
Engine-id:Conn-id = SW:114

1117 106.120.64.62 58.214.2.170 ACTIVE aes sha psk 1 09:03:47
Engine-id:Conn-id = SW:117

1120 106.120.64.62 195.243.205.104 ACTIVE aes sha psk 1 13:14:36
Engine-id:Conn-id = SW:120

1113 106.120.64.62 117.38.168.2 ACTIVE aes sha psk 1 09:03:13
Engine-id:Conn-id = SW:113

1112 106.120.64.62 123.151.193.42 ACTIVE aes sha psk 1 09:02:35
Engine-id:Conn-id = SW:112

1109 106.120.64.62 116.246.31.146 ACTIVE aes sha psk 1 09:02:27
Engine-id:Conn-id = SW:109

1110 221.123.160.154 211.95.31.106 ACTIVE aes sha psk 1 09:02:28
Engine-id:Conn-id = SW:110

1119 106.120.64.62 212.185.41.196 ACTIVE aes sha psk 1 12:37:33
Engine-id:Conn-id = SW:119

1116 221.123.160.154 61.138.187.18 ACTIVE aes sha psk 1 09:03:18
Engine-id:Conn-id = SW:116

1111 221.123.160.154 61.181.254.138 ACTIVE aes sha psk 1 09:02:34
Engine-id:Conn-id = SW:111

IPv6 Crypto ISAKMP SA

SPOKE1#

Thanks

At the moment, tunnels are not up and run the debug cry isa error...

here is the result from Spoke:

.Feb 15 06:31:34.644: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:31:34.644: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:31:34.644: ISAKMP-ERROR: (0):no offers accepted!
.Feb 15 06:31:34.644: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local 106.120.64.62 remote 195.243.205.104)
.Feb 15 06:31:34.648: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 195.243.205.104)
.Feb 15 06:31:34.648: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
.Feb 15 06:31:34.648: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 195.243.205.104)
.Feb 15 06:31:54.436: ISAKMP-ERROR: (0):ignoring request to send delete notify (no ISAKMP sa) src 106.120.64.62 dst 195.243.205.104 for SPI 0x0
.Feb 15 06:31:54.444: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:31:54.444: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:31:54.444: ISAKMP-ERROR: (0):no offers accepted!
.Feb 15 06:31:54.444: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local 106.120.64.62 remote 212.185.41.196)
.Feb 15 06:31:54.444: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 212.185.41.196)
.Feb 15 06:31:54.448: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
.Feb 15 06:31:54.448: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 212.185.41.196)

Thanks

compare isakmp policy on the hubs and the spoke.

Do you have any differences between in the isakmp policy on the spoke and other working spokes?

its same on all spokes and hub:

https://community.cisco.com/t5/routing/ike-phase1-issue/m-p/3802518

Thanks

It's clearly obvious that there's a mismatch in your Phase 1 parameters between Hub and Spoke. In the link you provided for another post you created, you have multiple crypto configs, but the output for show crypto isakmp policy on the Hub only shows policy 10, which uses 3DES and is different from the Spoke, which uses AES.

Can you run a debug crypto isakmp on the Hub also and post. Also post the entire crypto configs for Hub and Spoke.