DMVPN routing issues

R3Natas · ‎05-31-2019

Hello, currently I have a working DMVPN setup between my HQ and BRANCH office, on my branch side we are running Cisco CME for VoIP communications and my ultimate goal is to reach call manager from head office to connect phones. Currently I am experiencing some routing issues and can't find the right answer whether I'm doing something wrong or my task is impossible. I will try to explain the current situation as clear as possible.

Here is the diagram of my current setup, on HQ side I am using Cisco 871 router as Hub, routes are done via EIGRP

router eigrp 100
 network 10.10.0.0 0.0.255.255
 network 10.75.10.0 0.0.0.255
 network 10.128.234.0 0.0.0.255
 network 172.16.32.200 0.0.0.7
 no auto-summary

Here I share my main HQ subnet, DMVPN tunnel and two OPENVPN subnets for DC

On Branch side I use Cisco 2811 as Spoke, with routes

router eigrp 100
 network 10.248.100.0 0.0.0.255
 network 10.249.0.0 0.0.0.255
 network 172.16.32.200 0.0.0.7
 network 192.168.249.0
 no auto-summary

Here I share main Branch subnet, DMVPN tunnel and 2 CME subnets for DATA and VOICE (VLAN 101, 102)

Current situation is this, looking at routes from branch I see this

R2800_Spoke1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.249.1 to network 0.0.0.0

     172.16.0.0/29 is subnetted, 1 subnets
C       172.16.32.200 is directly connected, Tunnel0
C    192.168.249.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 1 subnets
D       10.10.0.0 [90/15362560] via 172.16.32.201, 00:09:12, Tunnel0
S*   0.0.0.0/0 [1/0] via 192.168.249.1

The spoke only sees heads office main subnet, but no 10.75.10.0/24 and 10.128.234.0/24

On Hub side I see

R800_Hub1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.0.1 to network 0.0.0.0

     172.16.0.0/29 is subnetted, 1 subnets
C       172.16.32.200 is directly connected, Tunnel0
D    192.168.249.0/24 [90/3842560] via 172.16.32.202, 00:11:01, Tunnel0
     10.0.0.0/16 is subnetted, 1 subnets
C       10.10.0.0 is directly connected, FastEthernet4
S*   0.0.0.0/0 [1/0] via 10.10.0.1

Here the Hub only sees Branch main subnet, but no 10.249.0.0/24 and 10.248.100.0/24

On HQ CORE router I have these routes:

to 10.75.10.0/24 via 10.10.0.2

to 10.128.234.0/24 via 10.10.0.2

to 172.16.32.200/29 via 10.10.10.204

to 192.168.249.0/24 via 10.10.10.204

to 10.248.100.0/24 via 10.10.10.204

to 10.249.0.0/24 via 10.10.10.204

On BRANCH CORE router I have these routes:

to 172.16.32.200/29 via 192.168.249.101

to 10.10.0.0/16 via 192.168.249.101

to 10.75.10.0/24 via 192.168.249.101

to 10.128.234.0/24 via 192.168.249.101

to 10.248.100.0/24 via 192.168.249.101

to 10.249.0.0/24 via 192.168.249.102

Currently I only have full access between core networks 10.10.0.0/16 <-> 192.168.249.0/24

My goal is to reach CME from HQ and to reach OPENVPN from BRANCH

Any thoughts? Thanks.

Rob Ingram · ‎05-31-2019

Hi,
What is the configuration of your Tunnel interfaces?

You need to make sure the Hub Tunnel at least re-advertises the spokes route back over the Tunnel interface. On the Spoke's you need to make sure you are using a mGRE tunnel mode.

HUB

interface Tunnel1
no ip split-horizon eigrp 100
no ip next-hop-self eigrp 100
tunnel mode gre multipoint

SPOKE
interface Tunnel1
tunnel mode gre multipoint

HTH

R3Natas · ‎05-31-2019

Yes, I'm using the exact config you provided

HUB

interface Tunnel0
 bandwidth 1000
 ip address 172.16.32.201 255.255.255.248
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication test123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile test

SPOKE

interface Tunnel0
 bandwidth 1000
 ip address 172.16.32.202 255.255.255.248
 no ip redirects
 ip mtu 1400
 ip nhrp authentication test123
 ip nhrp map multicast 20.0.0.1
 ip nhrp map 172.16.32.201 20.0.0.1
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.32.201
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile test

Rob Ingram · ‎05-31-2019

Ok, those static routes on either the hub or spoke are not in the output of your "show route" are the interfaces shutdown leading to the next hop? If they are not in the local routing table they won't be redistributed.

R3Natas · ‎05-31-2019

Yes, they are one hop away, I found a solution, on the Spoke side I configured static routes to 10.128.234.0/24 and 10.75.10.0/24, on hub to 10.249.0.0/24 and 10.248.100.0/24, everything works fine now. Only problem is left, to route VLANS across Hub and Spoke as I understand I can't just program switch to work on VLAN101 and VLAN102 which is not on the same site, so as I understand I should somehow create L2TPv3 over DMVPN tunnel, but not sure if I'm thinking correctly

Giuseppe Larosa · ‎05-31-2019

Hello

you just need to redistribute the static routes in EIGRP

router eigrp <AS-number>

redistribute static

default-metric 5000 10 1 1 1500

!

Towards the switch it will see D EX routes as a result of reditribution in both HUB and Spoke routers.

A seed metric is needed to make redistribution into EIGRP to work that is done by default-metric command.

If the switch does not run EIGRP just configure a static default route to the router in the same site with next-hop the IP address in the internal LAN.

You don't need L2TPV3 because you have L3 routing in place.

Hope to help

Giuseppe

R3Natas · ‎06-01-2019

Hello, Giuseppe,

Thanks, again, for your help, I will try to play with default-metric settings, but currently I'm pretty fine with static routes configured on both sides, only problem left is VLAN's, first I thought I should route VLAN over DMVPN tunnel, but then I thought there is no point in that, so on Hub site I configured VLAN 10 for voice and provided option 150 in DHCP which point's to CME in Spoke side which operates on VLAN 20, but for some reason, phones don't register, so is it because of the VLAN or I missing something in configuration?

R3Natas · ‎06-01-2019

Little bit of troubleshooting shows that I cannot ping Call Manager. Forgot to configure static routes, now it pings and finds CME, but wont register

Giuseppe Larosa · ‎06-01-2019

Hello R3Natas,

DHCP option 150 provides the TFTP server address and should be populated with the CME IP address.

In order for the phones to be able to register with the CME in the hub spoke you need end to end routing over the DMVPN tunnel because you need bidirectional IP communications.

Can you ping from a device in Vlan 10 IP subnet in HUB site to the Spoke Site CME IP address in Vlan 20?

In addition to this you need to create a separate DHCP scope for IP phones in Vlan 10 in hub site with appropriate DHCP options configured.

In real world you need to route over the DMVPN tunnel either using dynamic routing (preferred) or using static routes with outgoing interface the tunnel.

However static routes in your case using an MGRE tunnel should refer to the IP next-hop (internal IP address in the DMVPN subnet ie. the addresses resolved by NHRP) in order to have traffic to go over the tunnel.

I haven't understood how you have configured your static routes.

Hope to help

Giuseppe

R3Natas · ‎06-01-2019

I will try to explain as clear as possible, currently communication between Spoke and Hub works perfectly, all subnets reach each other. Static routes are done in two places on both ends:

Hub

ip route 0.0.0.0 0.0.0.0 10.10.0.1
ip route 10.248.100.0 255.255.255.0 172.16.32.202
ip route 10.249.0.0 255.255.255.0 172.16.32.202

Spoke

ip route 0.0.0.0 0.0.0.0 192.168.249.1
ip route 10.75.10.0 255.255.255.0 172.16.32.201
ip route 10.128.234.0 255.255.255.0 172.16.32.201
ip route 10.148.100.0 255.255.255.0 172.16.32.201
ip route 10.149.0.0 255.255.255.0 172.16.32.201

EIGRP you have seen before and on both end routers I configured static routes between these subnets

Now with voice, on Spoke side I have Cisco 2921 as CME, with next config (relevant part)

ip dhcp pool DATA
 network 10.248.100.0 255.255.255.0
 default-router 10.248.100.1
 dns-server 10.10.0.2
!
ip dhcp pool VOICE
 network 10.249.0.0 255.255.255.0
 default-router 10.249.0.1
 option 150 ip 10.249.0.1
!
interface GigabitEthernet0/1
 bandwidth 122880
 ip address dhcp
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.248
 encapsulation dot1Q 248
 ip address 10.248.100.1 255.255.255.0
!
interface GigabitEthernet0/1.249
 encapsulation dot1Q 249
 ip address 10.249.0.1 255.255.255.0
!
telephony-service
 no auto-reg-ephone
 max-ephones 24
 max-dn 24
 ip source-address 10.249.0.1 port 2000

So currently TFTP and CM sits at 10.249.0.1, I can reach it from phones and other devices, but phones won't register, I only see "Registering" on the phone, tried telnet to 10.249.0.1 port 2000 said "connection refused", so maybe there is an ACL issue?
DHCP for PHONES

ip dhcp pool VOICE
   network 10.149.0.0 255.255.255.0
   default-router 10.149.0.1
   option 150 ip 10.249.0.1
!
interface FastEthernet4.149
 encapsulation dot1Q 149
 ip address 10.149.0.1 255.255.255.0
!

Giuseppe Larosa · ‎06-01-2019

Hello RS19,

ok the routing is using static routes over the MGRE tunnels. This is acceptable.

About your issues with phones I see the following:

>>

telephony-service
 no auto-reg-ephone     ! this means that auto-registration is disabled
 max-ephones 24         ! max number of phones is 24
 max-dn 24              ! max number of phone lines/numbers is 24

So the following questions arise:

a) on the CME have you configured manually the phones that are in the Hub site ? Because auto-registration is disabled this CME is not "plug and play" and does not accept an SCCP session on port TCP 2000 by an unconfigured phone.

I mean you would need something like:

ephone-dn 65
number 428
label Line Laboratory
name Line Laboratory
hold-alert 30 originator
!

With an additional command that specifies the mac address of the phone, because you have autoregistration disabled.

b) In case you have configured the phones on the hub site. How many phones are registered on the Spoke site on CME? there is a limit of 24 phones.

Hope to help

Giuseppe

R3Natas · ‎06-01-2019

Currently I have configured 4 out of 24 phones and yes, I have added mac addresses of every phone to the CME, so there is no need for auto registration, but, unfortunately, phones, which are written into CME are not registering, although they are configured in the CME

Giuseppe Larosa · ‎06-02-2019

Hello R3Natas,

Ok so your configuration on CME is fine. You have provisioned the MAC addresses of the phones in CME and total number of phones is 4 < 24.

Can you ping from Vlan 10 IP subnet to the CME IP address in Spoke site ?

You have written that attempt to telnet to port TCP 2000 is refused by CME.

Is the CME configured to use SCCP (TCP 2000) or to use SIP (UDP 5060) with the phones?

Depending on phone models they may prefer to use SIP protocol rather then SCCP.

Have you got phones registered with CME in spoke site?

From routing point of view the use of dynamic routing would be preferred but if the ping test is successful between the two subnets the routing is ok.

Hope to help

Giuseppe

R3Natas · ‎06-03-2019

Thank you very much for your time and support, I finally managed to register my phones with CME on remote site. The problem was with the spoke's core router which was not friendly with vlans, so I decided to put a Cisco switch between core router and the Spoke and Cisco CME router and everything started to work perfectly. Thanks again!