Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
10
Helpful
12
Replies

DMVPN Spoke (ISR1921) failing to peer with Hub (C8500)

Go to solution
CarsonDavis56998
Level 1
Level 1

‎11-11-2022 06:04 AM - edited ‎04-23-2024 09:31 AM

 
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2022 12:52 PM

It looks like there was something up with that specific router, I just applied that same configuration to a newer router (ISR4431) and it came up just fine lol. Thanks again for your help !

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Georg Pauwen
VIP
VIP

‎11-11-2022 09:00 AM - last edited on ‎11-15-2022 09:47 PM by Community Manager

Hello,

what if you use the Cisco default transform set (and don't use the one you configured yourself ?

crypto ipsec profile DMVPN-IPSEC-PROFILE
--> no set transform-set DMVPN-IPSEC-TSET
set ikev2-profile DMVPN-IKE-PROFILE
0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2022 09:27 AM - last edited on ‎11-15-2022 09:52 PM by Community Manager

Still does not work after removing TSET on both spoke and hub, unfortunately,

 

USA-ATL-QTS-CORE2(config)#crypto ipsec profile DMVPN-IPSEC-PROFILE
USA-ATL-QTS-CORE2(ipsec-profile)#no set transform-set DMVPN-IPSEC-TSET
USA-ATL-QTS-CORE2(ipsec-profile)#end
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#show
*Nov 11 17:21:37.764: %SYS-5-CONFIG_I: Configured from console by console
USA-ATL-QTS-CORE2# 
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#clear cry
USA-ATL-QTS-CORE2#clear crypto ik 
USA-ATL-QTS-CORE2#clear crypto ikev2 sa
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#
USA-ATL-QTS-CORE2#

*Nov 11 17:22:15.517: IKEv2:Received Packet [From X.X.X.X:500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
SA KE N VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Nov 11 17:22:15.517: IKEv2:(SESSION ID = 173,SA ID = 1):Verify SA init message
*Nov 11 17:22:15.517: IKEv2:(SESSION ID = 173,SA ID = 1):Insert SA
*Nov 11 17:22:15.518: IKEv2:Searching Policy with fvrf 2, local address X.X.X.X
*Nov 11 17:22:15.518: IKEv2:Found Policy 'DMVPN-IKE-POLICY'
*Nov 11 17:22:15.518: IKEv2:(SESSION ID = 173,SA ID = 1):Processing IKE_SA_INIT message
*Nov 11 17:22:15.518: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Nov 11 17:22:15.518: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'SLA-TrustPoint' 'TP-self-signed-632393052' 
*Nov 11 17:22:15.518: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Nov 11 17:22:15.518: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Nov 11 17:22:15.518: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Nov 11 17:22:15.518: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Nov 11 17:22:15.518: IKEv2:(SESSION ID = 173,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Nov 11 17:22:15.518: IKEv2:(SESSION ID = 173,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Nov 11 17:22:15.518: IKEv2:(SESSION ID = 173,SA ID = 1):Request queued for computation of DH key
*Nov 11 17:22:15.518: IKEv2:(SESSION ID = 173,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Nov 11 17:22:15.519: IKEv2:(SESSION ID = 173,SA ID = 1):Request queued for computation of DH secret
*Nov 11 17:22:15.521: IKEv2:(SESSION ID = 173,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Nov 11 17:22:15.521: IKEv2:(SESSION ID = 173,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Nov 11 17:22:15.521: IKEv2:(SESSION ID = 173,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Nov 11 17:22:15.521: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Nov 11 17:22:15.521: IKEv2:(SESSION ID = 173,SA ID = 1):Generating IKE_SA_INIT message
*Nov 11 17:22:15.521: IKEv2:(SESSION ID = 173,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_2048_MODP/Group 14
*Nov 11 17:22:15.521: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Nov 11 17:22:15.521: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'SLA-TrustPoint' 'TP-self-signed-632393052' 
*Nov 11 17:22:15.521: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Nov 11 17:22:15.521: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Nov 11 17:22:15.521: IKEv2:(SESSION ID = 173,SA ID = 1):Sending Packet [To X.X.X.X :500/From X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 18FD7DF775AE93BE Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Nov 11 17:22:15.522: IKEv2:(SESSION ID = 173,SA ID = 1):Completed SA init exchange
*Nov 11 17:22:15.522: IKEv2:(SESSION ID = 173,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Nov 11 17:22:15.727: IKEv2:(SESSION ID = 173,SA ID = 1):Received Packet [From X.X.X.X :500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 18FD7DF775AE93BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents:

USA-ATL-QTS-CORE2#
*Nov 11 17:22:15.728: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):Failed to parse the packet: Failed to decrypt an encrypted payload
USA-ATL-QTS-CORE2#

*Nov 11 17:22:17.565: IKEv2:(SESSION ID = 173,SA ID = 1):Received Packet [From X.X.X.X:500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 18FD7DF775AE93BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents:

*Nov 11 17:22:17.566: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):Failed to parse the packet: Failed to decrypt an encrypted payload
USA-ATL-QTS-CORE2#

*Nov 11 17:22:21.417: IKEv2:(SESSION ID = 173,SA ID = 1):Received Packet [From X.X.X.X:500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 18FD7DF775AE93BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents:

*Nov 11 17:22:21.418: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):Failed to parse the packet: Failed to decrypt an encrypted payload
USA-ATL-QTS-CORE2#

*Nov 11 17:22:28.677: IKEv2:(SESSION ID = 173,SA ID = 1):Received Packet [From X.X.X.X:500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 18FD7DF775AE93BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents:

*Nov 11 17:22:28.678: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):Failed to parse the packet: Failed to decrypt an encrypted payload
USA-ATL-QTS-CORE2#

*Nov 11 17:22:43.601: IKEv2:(SESSION ID = 173,SA ID = 1):Received Packet [From X.X.X.X:500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : 1120EC34C7CE4E0F - Responder SPI : 18FD7DF775AE93BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents:

*Nov 11 17:22:43.602: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):Failed to parse the packet: Failed to decrypt an encrypted payload
USA-ATL-QTS-CORE2#
*Nov 11 17:22:45.523: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Nov 11 17:22:45.523: IKEv2:(SESSION ID = 173,SA ID = 1):Auth exchange failed
*Nov 11 17:22:45.524: IKEv2-ERROR:(SESSION ID = 173,SA ID = 1):: Auth exchange failed
*Nov 11 17:22:45.526: IKEv2:(SESSION ID = 173,SA ID = 1):Abort exchange
*Nov 11 17:22:45.526: IKEv2:(SESSION ID = 173,SA ID = 1):Deleting SA
*Nov 11 17:22:45.526: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Nov 11 17:22:45.526: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
USA-ATL-QTS-CORE2#u all
All possible debugging has been turned off

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status 
1 209.10.135.20/500 108.209.101.252/500 FVRF/none IN-NEG 
Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:14, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 120/0 sec

IPv6 Crypto IKEv2 SA







SPOKE IKE SA:

DMVPN-SPOKE-TEST#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 108.209.101.252/500 209.10.135.20/500 FVRF/FVRF IN-NEG
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec

IPv6 Crypto IKEv2 SA

 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CarsonDavis56998

‎11-11-2022 09:34 AM

Hello,

post the full running configs of both the hub and the spoke...

0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2022 09:43 AM

 
Preview file
4 KB
Preview file
16 KB
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CarsonDavis56998

‎11-11-2022 10:11 AM - last edited on ‎11-15-2022 09:54 PM by Community Manager

Hello,

at first glance, I think you have to place the EIGRP into the VRF on both the hub and the spoke...

--> address-family ipv4 vrf FRVF autonomous-system 
0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2022 10:13 AM - edited ‎11-11-2022 10:30 AM

EIGRP works just fine with the current configuration once I remove tunnel protection from the tunnel. So no changes need to be made with that configuration. So it is not a configuration issue with the EIGRP but the IPSec policy I am thinking.

Go to solution
Georg Pauwen
VIP
VIP
In response to CarsonDavis56998

‎11-11-2022 12:00 PM - last edited on ‎11-15-2022 09:58 PM by Community Manager

Hello,

this is going to be trial and error. First, try and change the transport mode (on both routers):

--> crypto ipsec transform-set DMVPN-IPSEC-TSET esp-aes 256 esp-sha256-hmac 
mode tunnel

If that doesn't help, change the entire encryption algorithm:

crypto ikev2 proposal DMVPN-IKE-PROPOSAL 
encryption aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 15
!
crypto ipsec transform-set DMVPN-IPSEC-TSET esp-aes 192 esp-sha512-hmac
mode tunnel

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2022 12:16 PM - last edited on ‎11-15-2022 10:03 PM by Community Manager

No, still no go:

Log from HUB:

Initiator SPI : 895E0752E5F60D27 - Responder SPI : 6EEC1016ECCA629F Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
*Nov 11 20:13:46.694: IKEv2-ERROR:Address type 1370903749 not supported

*Nov 11 20:13:46.695: IKEv2-ERROR:: A supplied parameter is incorrect

*Nov 11 20:14:32.167: IKEv2-ERROR:(SESSION ID = 245,SA ID = 1):Failed to parse the packet: Failed to decrypt an encrypted payload
USA-ATL-QTS-CORE2#
*Nov 11 20:14:33.249: IKEv2-ERROR:(SESSION ID = 245,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Nov 11 20:14:33.249: IKEv2:(SESSION ID = 245,SA ID = 1):Auth exchange failed
*Nov 11 20:14:33.250: IKEv2-ERROR:(SESSION ID = 245,SA ID = 1):: Auth exchange failed
*Nov 11 20:14:33.252: IKEv2:(SESSION ID = 245,SA ID = 1):Abort exchange
*Nov 11 20:14:33.252: IKEv2:(SESSION ID = 245,SA ID = 1):Deleting SA
*Nov 11 20:14:33.252: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Nov 11 20:14:33.252: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

*Nov 11 20:15:01.707: IKEv2-ERROR:Address type 2147505723 not supported

*Nov 11 20:15:01.708: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

*Nov 11 20:15:01.708: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From X.X.X.X:500/To X.X.X.X:500/VRF i0:f2] 
Initiator SPI : D7658ADB17E94E8E - Responder SPI : 57AFA5C20B16C19E Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
*Nov 11 20:15:01.710: IKEv2-ERROR:Address type 1370903749 not supported

*Nov 11 20:15:01.711: IKEv2-ERROR:: A supplied parameter is incorrect
0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2022 12:52 PM

It looks like there was something up with that specific router, I just applied that same configuration to a newer router (ISR4431) and it came up just fine lol. Thanks again for your help !

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CarsonDavis56998

‎11-11-2022 01:02 PM

Hello,

good to know ! Good idea to replace the router. I think the 1921 is EoL, the replacement is the 4221...

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CarsonDavis56998

‎11-12-2022 01:26 AM

still this issue or solve after change the router ??

0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to MHM Cisco World

‎11-12-2022 03:25 AM

The issue was resolved after swapping out 1921 with 4431. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card