cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
0
Helpful
8
Replies
Beginner

DMVPN with 4431 and 2911s

We have been running a DMVPN with ISR 2911s for several years without any issues. We just recently installed an ISR4431 at a new location (as the 2911s will be EOL soon), but we are unable to establish connectivity from that location to any others over a dynamic tunnel with a 2911 as their router.

 

The majority of traffic between spoke locations is voip and we're seeing one-way audio. When a user at the 4431 site calls a user at a 2911 site, the 2911 site can not hear the user at the 4431 site - regardless of who initiates the call.

 

I can tell that the dynamic tunnel is established (via "sh crypto isakmp sa" and "sh crypto ipsec sa"), but there seems to be no connectivity over this dynamic tunnel. I verified this with a ping from each router, as well. When I force the traffic through our hub site via static routes, the voice call is successful.

 

My question - is there anything specific to be done on the 4431 router to participate in the DMVPN? I know these are IOS-XE based where the 2911s are IOS-based. For that matter, we're also seeing this with a Cisco 1111X-8P router, which is also IOS-XE. 

Everyone's tags (1)
8 REPLIES 8
Highlighted
VIP Advisor

Re: DMVPN with 4431 and 2911s

Can you post the configuration to have look please.

 

#show run

#show version

#show license

#sh crypto isakmp sa

#sh crypto ipsec sa

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: DMVPN with 4431 and 2911s

Configurations are attached. It seems that the issue is the 2911 is not receiving the packets from the 4431 over the dynamic tunnel. We see encaps on the 2911, but no decaps - telling me the 2911 is not getting those packets.

 

The hub configuration of the tunnel interface is below.

 

interface Tunnel100
bandwidth 50000
ip flow monitor WAN input
ip flow monitor WAN output
ip address 192.168.95.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 *****
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication SHARED
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
qos pre-classify
keepalive 10 3
tunnel source Loopback2
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN

 

crypto ipsec profile DMVPN
set transform-set AES-256-SHA

 

interface Loopback2
ip address 192.168.199.1 255.255.255.255

 

TAC suggested to be yesterday to add "ip nhrp shortcut" on the 2911 configuration and "ip nhrp redirect" on the hub router. Unfortunately, those suggestions didn't help.

Highlighted
VIP Mentor

Re: DMVPN with 4431 and 2911s

Hello,

 

check if the ZBF might be the problem by removing 'zone-member security WAN' from one of the tunnel interfaces on the hub...

 

More specifically, one of the restrictions of the Zone Based Firewall in XE is:

 

  • The zone-based firewall is not supported along with dynamic interfaces. These interfaces are created or deleted dynamically when traffic is tunneled into tunnels such as IPsec or VPN secure tunnels.
Highlighted
Beginner

Re: DMVPN with 4431 and 2911s

I actually tried removing ZBF. I took out the zone-member security command from every tunnel and subinterface on the 4431, but the problem still existed.

 

This is also present on a 4451 that was never configured for ZBF. 

Highlighted
VIP Mentor

Re: DMVPN with 4431 and 2911s

Hello,

 

the ZBF is configured on your LAN interfaces as well as far as I can see. Do you actually need the ZBF ? Try and remove all interfaces from the ZBF...

Highlighted
Beginner

Re: DMVPN with 4431 and 2911s

I did remove it from all interfaces - all tunnel interfaces from the WAN zone and all LAN interfaces from their respective zones. The dynamic tunnel still didn't establish. 

 

We really don't need ZBF, but our security policy dictates that we have to have some form of filtering/firewalling on these branch office routers. Since we were doing the 4431s as a POC for replacing the 2911s, this is what we were stuck with. 

 

Could there be something strange with IOS-XE and DMVPN? I've now seen this on two 4400 series routers and I'm also seeing this issue on C1111X routers, which are running IOS-XE.

Highlighted
Beginner

Re: DMVPN with 4431 and 2911s

Did you try adding "ip nhrp map multicast dynamic" on spokes and hub?  What does "show dmvpn" say?  Is EIGRP peering between the two established?

Highlighted
Beginner

Re: DMVPN with 4431 and 2911s

"ip nhrp map multicast dynamic" is already configured on both the spokes and the hub. 

 

I have a TAC case open about this, but I think everyone is stumped. This only seems to happen when we try to establish a tunnel between an IOS device and and IOS-XE device. When we try this between the 4431 and 1111 routers, it seems like ZERO packets are encrypted or decrypted

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here