Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2452
Views
0
Helpful
8
Replies

DMVPN with 4431 and 2911s

aweise
Level 1
Level 1

‎03-19-2019 12:09 PM

We have been running a DMVPN with ISR 2911s for several years without any issues. We just recently installed an ISR4431 at a new location (as the 2911s will be EOL soon), but we are unable to establish connectivity from that location to any others over a dynamic tunnel with a 2911 as their router.

 

The majority of traffic between spoke locations is voip and we're seeing one-way audio. When a user at the 4431 site calls a user at a 2911 site, the 2911 site can not hear the user at the 4431 site - regardless of who initiates the call.

 

I can tell that the dynamic tunnel is established (via "sh crypto isakmp sa" and "sh crypto ipsec sa"), but there seems to be no connectivity over this dynamic tunnel. I verified this with a ping from each router, as well. When I force the traffic through our hub site via static routes, the voice call is successful.

 

My question - is there anything specific to be done on the 4431 router to participate in the DMVPN? I know these are IOS-XE based where the 2911s are IOS-based. For that matter, we're also seeing this with a Cisco 1111X-8P router, which is also IOS-XE. 

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎03-19-2019 02:43 PM

Can you post the configuration to have look please.

 

#show run

#show version

#show license

#sh crypto isakmp sa

#sh crypto ipsec sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

aweise
Level 1
Level 1
In response to balaji.bandi

‎03-21-2019 06:05 AM - edited ‎03-21-2019 06:06 AM

Configurations are attached. It seems that the issue is the 2911 is not receiving the packets from the 4431 over the dynamic tunnel. We see encaps on the 2911, but no decaps - telling me the 2911 is not getting those packets.

 

The hub configuration of the tunnel interface is below.

 

interface Tunnel100
bandwidth 50000
ip flow monitor WAN input
ip flow monitor WAN output
ip address 192.168.95.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 *****
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication SHARED
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 1000
qos pre-classify
keepalive 10 3
tunnel source Loopback2
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN

 

crypto ipsec profile DMVPN
set transform-set AES-256-SHA

 

interface Loopback2
ip address 192.168.199.1 255.255.255.255

 

TAC suggested to be yesterday to add "ip nhrp shortcut" on the 2911 configuration and "ip nhrp redirect" on the hub router. Unfortunately, those suggestions didn't help.

Preview file
69 KB
Preview file
82 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to aweise

‎03-21-2019 07:52 AM - edited ‎03-21-2019 07:57 AM

Hello,

 

check if the ZBF might be the problem by removing 'zone-member security WAN' from one of the tunnel interfaces on the hub...

 

More specifically, one of the restrictions of the Zone Based Firewall in XE is:

 

  • The zone-based firewall is not supported along with dynamic interfaces. These interfaces are created or deleted dynamically when traffic is tunneled into tunnels such as IPsec or VPN secure tunnels.
0 Helpful

aweise
Level 1
Level 1
In response to Georg Pauwen

‎03-21-2019 08:14 AM - edited ‎03-21-2019 08:15 AM

I actually tried removing ZBF. I took out the zone-member security command from every tunnel and subinterface on the 4431, but the problem still existed.

 

This is also present on a 4451 that was never configured for ZBF. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to aweise

‎03-21-2019 08:37 AM

Hello,

 

the ZBF is configured on your LAN interfaces as well as far as I can see. Do you actually need the ZBF ? Try and remove all interfaces from the ZBF...

0 Helpful

aweise
Level 1
Level 1
In response to Georg Pauwen

‎03-21-2019 11:32 AM

I did remove it from all interfaces - all tunnel interfaces from the WAN zone and all LAN interfaces from their respective zones. The dynamic tunnel still didn't establish. 

 

We really don't need ZBF, but our security policy dictates that we have to have some form of filtering/firewalling on these branch office routers. Since we were doing the 4431s as a POC for replacing the 2911s, this is what we were stuck with. 

 

Could there be something strange with IOS-XE and DMVPN? I've now seen this on two 4400 series routers and I'm also seeing this issue on C1111X routers, which are running IOS-XE.

0 Helpful

Larry Sullivan
Level 3
Level 3
In response to aweise

‎03-21-2019 04:27 PM - edited ‎03-21-2019 04:41 PM

Did you try adding "ip nhrp map multicast dynamic" on spokes and hub?  What does "show dmvpn" say?  Is EIGRP peering between the two established?

0 Helpful

aweise
Level 1
Level 1
In response to Larry Sullivan

‎04-02-2019 12:23 PM - edited ‎04-02-2019 12:50 PM

"ip nhrp map multicast dynamic" is already configured on both the spokes and the hub. 

 

I have a TAC case open about this, but I think everyone is stumped. This only seems to happen when we try to establish a tunnel between an IOS device and and IOS-XE device. When we try this between the 4431 and 1111 routers, it seems like ZERO packets are encrypted or decrypted

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card