We have been running a DMVPN with ISR 2911s for several years without any issues. We just recently installed an ISR4431 at a new location (as the 2911s will be EOL soon), but we are unable to establish connectivity from that location to any others over a dynamic tunnel with a 2911 as their router.
The majority of traffic between spoke locations is voip and we're seeing one-way audio. When a user at the 4431 site calls a user at a 2911 site, the 2911 site can not hear the user at the 4431 site - regardless of who initiates the call.
I can tell that the dynamic tunnel is established (via "sh crypto isakmp sa" and "sh crypto ipsec sa"), but there seems to be no connectivity over this dynamic tunnel. I verified this with a ping from each router, as well. When I force the traffic through our hub site via static routes, the voice call is successful.
My question - is there anything specific to be done on the 4431 router to participate in the DMVPN? I know these are IOS-XE based where the 2911s are IOS-based. For that matter, we're also seeing this with a Cisco 1111X-8P router, which is also IOS-XE.
Can you post the configuration to have look please.
#sh crypto isakmp sa
#sh crypto ipsec sa
Configurations are attached. It seems that the issue is the 2911 is not receiving the packets from the 4431 over the dynamic tunnel. We see encaps on the 2911, but no decaps - telling me the 2911 is not getting those packets.
The hub configuration of the tunnel interface is below.
ip flow monitor WAN input
ip flow monitor WAN output
ip address 192.168.95.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 *****
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication SHARED
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp redirect
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source Loopback2
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN
crypto ipsec profile DMVPN
set transform-set AES-256-SHA
ip address 192.168.199.1 255.255.255.255
TAC suggested to be yesterday to add "ip nhrp shortcut" on the 2911 configuration and "ip nhrp redirect" on the hub router. Unfortunately, those suggestions didn't help.
check if the ZBF might be the problem by removing 'zone-member security WAN' from one of the tunnel interfaces on the hub...
More specifically, one of the restrictions of the Zone Based Firewall in XE is:
I actually tried removing ZBF. I took out the zone-member security command from every tunnel and subinterface on the 4431, but the problem still existed.
This is also present on a 4451 that was never configured for ZBF.
the ZBF is configured on your LAN interfaces as well as far as I can see. Do you actually need the ZBF ? Try and remove all interfaces from the ZBF...
I did remove it from all interfaces - all tunnel interfaces from the WAN zone and all LAN interfaces from their respective zones. The dynamic tunnel still didn't establish.
We really don't need ZBF, but our security policy dictates that we have to have some form of filtering/firewalling on these branch office routers. Since we were doing the 4431s as a POC for replacing the 2911s, this is what we were stuck with.
Could there be something strange with IOS-XE and DMVPN? I've now seen this on two 4400 series routers and I'm also seeing this issue on C1111X routers, which are running IOS-XE.
Did you try adding "ip nhrp map multicast dynamic" on spokes and hub? What does "show dmvpn" say? Is EIGRP peering between the two established?
"ip nhrp map multicast dynamic" is already configured on both the spokes and the hub.
I have a TAC case open about this, but I think everyone is stumped. This only seems to happen when we try to establish a tunnel between an IOS device and and IOS-XE device. When we try this between the 4431 and 1111 routers, it seems like ZERO packets are encrypted or decrypted