Hi Freak,

Hq is configured also to receive vpn for remote access but it shows receiving packets from the source 46.35.80.59 as below:

*Mar 19 06:58:44.899: ISAKMP (1176): received packet from 46.35.80.59 dport 500 sport 500 Global (R) CONF_XAUTH   
*Mar 19 06:58:44.903: ISAKMP (1176): received packet from 46.35.80.59 dport 500 sport 500 Global (R) CONF_XAUTH  

*Mar 19 06:59:15.127: ISAKMP (0): received packet from 46.35.80.59 dport 500 sport 500 Global (N) NEW SA
*Mar 19 06:59:15.127: ISAKMP: Created a peer struct for 46.35.80.59, peer port 500
*Mar 19 06:59:15.131: ISAKMP: New peer created peer = 0x2B56FC68 peer_handle = 0x800000CF
*Mar 19 06:59:15.131: ISAKMP: Locking peer struct 0x2B56FC68, refcount 1 for crypto_isakmp_process_block
*Mar 19 06:59:15.131: ISAKMP:(0):Setting client config settings 31CE79C8
*Mar 19 06:59:15.131: ISAKMP:(0):(Re)Setting client xauth list  and state
*Mar 19 06:59:15.131: ISAKMP/xauth: initializing AAA request
*Mar 19 06:59:15.131: ISAKMP: local port 500, remote port 500
*Mar 19 06:59:15.131: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B32CF1C
*Mar 19 06:59:15.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 19 06:59:15.131: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

any idea to solve my issue?

Would you be able to provide the full config from both the ends? I suspect some mismatch in policy or some other parameter.

CF

Hi Freak,

show run is at the end of the debug files.

thanks

Hi Mohammed,

What is the significance of these 2 command in the config? Is it getting authenticated and authorized well?

crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs

these commands and this router is used to from remote vpn client access.

can you answer my below question:

can the cisco spoke dmvpn router connect to two different hubs using 2 different tunnels?

Yes, it can be done.

Hi Mr. Freak again,

below is the latest config with MM_NO_STATE state.

HQ which is configured to accecpt remote vpn client using crypto map is configured for dynamic vpn with branch.

HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0

Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.

Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....

HQ:

aaa authentication login acs local
aaa authorization network acs local
!
aaa session-id common
!
ip cef
!

ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!

redundancy
!

controller VDSL 0/1/0
!

crypto keyring ccp-dmvpn-keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group NAMA
 key namanama
 pool mypool
 acl 101
 save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
 mode transport
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-AES-MD5
 set isakmp-profile ccp-dmvpn-isakmprofile
!

crypto dynamic-map map 10
 set transform-set test
 reverse-route
!
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map

!
interface Tunnel10
 bandwidth 1000
 ip address 172.16.10.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 delay 1000
 shutdown
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface ATM0/1/0
 description DSL Interface
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1

!
interface Dialer0
 no ip address
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname nama20004
 ppp chap password 0 220004
 ppp pap sent-username nama20004 password 0 220004
 crypto map i-map
!
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
!

HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
82.114.179.120  78.137.84.92    CONF_XAUTH        1486 ACTIVE
82.114.179.120  78.137.84.92    MM_NO_STATE       1483 ACTIVE (deleted)
82.114.179.120  78.137.84.92    MM_NO_STATE       1482 ACTIVE (deleted)

Branch show run:

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
 mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
 mode transport
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-AES-MD5
!
crypto ipsec profile To-Taiz-Profile
 set transform-set To-Taiz
!
interface Tunnel0
 bandwidth 1000
 ip address 172.16.0.32 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 172.16.0.1 82.114.179.105
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Dialer0
 tunnel destination 82.114.179.105
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Tunnel10
 bandwidth 1000
 ip address 172.16.10.32 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 172.16.10.1 82.114.179.120
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.10.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Dialer0
 tunnel destination 82.114.179.120
 tunnel key 22334455
 tunnel protection ipsec profile To-Taiz-Profile
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 description ## CONNECT TO LAN ##
 no ip address
!
interface FastEthernet1
 description ## CONNECT TO LAN ##
 no ip address
!
interface FastEthernet2
 description ## CONNECT TO LAN ##
 no ip address
!
interface FastEthernet3
 description ## CONNECT TO LAN ##
 no ip address
!
interface Vlan1
 description ## LAN INTERFACE ##
 ip dhcp client hostname none
 ip address 192.168.32.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname mohammadaa
 ppp chap password 0 123456
 ppp pap sent-username mohammadaa password 0 123456
!
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
!
ip sla auto discovery
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!

Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
82.114.179.120  78.137.84.92    MM_NO_STATE       2061 ACTIVE (deleted)
82.114.179.120  78.137.84.92    MM_NO_STATE       2060 ACTIVE (deleted)

Is your HQ tunnel 0 shutdown for a reason?

hi,

can the cisco spoke dmvpn router connect to two different hubs using 2 different tunnels?

regards,

Yes, it is possible that you can create two different tunnels for two different interfaces of the Spoke router connected to two different Hubs.