Solved: Re: DMVPN Phase II. Spoke to Spoke tunnels issues

Carlosperez1601 · ‎07-12-2018

Hello Experts,

I really wish you could help me with the problem that I have.

I am using this design from DMVPN.

I have a Hub behind a firewall using static NAT. I have 2 ISP links, one active for DMVPN 1 and one pasive (backup) for DMVPN 2. If primary ISP fails, using IP SLA the Hub and the firewall will change to the secondary ISP and form the tunnels for DMVPN 2.

DMVPN 1 -----> Tunnel 0

DMVPN 2 -----> Tunnel 1

Until this point everything works fine, the issue is when I try to deploy Phase II for spoke to spoke tunnels.

-The Spoke to Spoke traffic continues to travel through the Hub router instead of creating a dynamic tunnel between the Spokes. (Although in the routing table the route points to another spoke with a Traceroute it is validated that it continues to cross through the HUB)

-The connectivity between the Spokes takes approximately 1 minute to be successful.

-I have connectivity from any Spoke to Spoke2 but from Spoke 2 to any other Spoke I have no communication. (When I put the command show ip nhrp in Spoke 2 all the entries has the public address of the others Spokes, but in the others Spokes when I run this command all the entries have the public address of the router HUB).

Attached is Routing table, DMVPN config and NHRP entries of each device.

a.alekseev · ‎07-12-2018

for spoke to spoke communication you must have pre-shared key which you haven't.

There are only keys for hub on spokes.
You can use 0.0.0.0 0.0.0.0 like on hub

View solution in original post

a.alekseev · ‎07-12-2018

for spoke to spoke communication you must have pre-shared key which you haven't.

There are only keys for hub on spokes.
You can use 0.0.0.0 0.0.0.0 like on hub

Carlosperez1601 · ‎07-13-2018

Thank you very much! This resolved the problem with the Spoke to Spoke tunnels.

I see another issue with some Spokes that use NAT. Those sites don't complete the spoke to spoke tunnels. I think this is because they are using NAT PAT instead static NAT.

Georg Pauwen · ‎07-12-2018

Hello,

at first glance, it looks like you forget to disable split horizon and next hop self on the spokes. Try to add the lines marked in bold to your spokes:

interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 40 10
ip hold-time eigrp 40 60
no ip next-hop-self eigrp 40
no ip split-horizon eigrp 40
ip nhrp authentication Example
ip nhrp map multicast x.x.x.x (Hub NBMA address DMVPN1)
ip nhrp map 10.0.0.1 x.x.x.x (Hub NBMA address DMVPN1
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1
ip nhrp registration timeout 10
ip tcp adjust-mss 1360
load-interval 30
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile Remote50 shared

Carlosperez1601 · ‎07-13-2018

Thank you for your Help!

The solution to my problem was to add the pre-shared key on every Spoke to allow the creation of Spoke to Spoke tunnels.

crypto isakmp key Example123 address 0.0.0.0 no-xauth

The commands "no ip next-hop-self eigrp 40" and "no ip split-horizon eigrp 40" are only necessary in the HUB.