01-18-2012 11:41 AM - edited 03-04-2019 02:57 PM
Hi,
I'm having issues with one of my spoke routers connecting to the dmvpn, the 3g connection appears to be ok, its not dropping
however the tunnel keep dropping and ospf has to keep learning again and again, this is my first site with a 3g connection all the other
are either on fibre or adsl and they just work. Here are the configs below any assistanst would be greatly appreaciated
thank you for your time and effort in advance.
---------------------------------------------------------------------------------------------
Hub
---------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key <removed> address <removed>
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 60
!
crypto ipsec transform-set ESP-SHA-HMAC-AES-256-VPN esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-SHA-HMAC-AES-256-DMVPN esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile dmvpn
description Dynamic Multi-Point VPN IPSEC Policy
set transform-set ESP-SHA-HMAC-AES-256-DMVPN
set pfs group5
!
interface Tunnel0
description --- Tunnel Int -- DMVPN Entry ---$FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip flow egress
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly in
ip virtual-reassembly out
no ip route-cache cef
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
delay 1000
mpls ip
cdp enable
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpn
!
interface Loopback0
description --- Loopback ---
ip address 10.100.0.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
router ospf 1
router-id 10.100.0.1
log-adjacency-changes detail
network 10.0.0.0 0.0.0.255 area 1
network 10.0.1.1 0.0.0.0 area 1
network 10.0.1.0 0.0.0.3 area 1
network 10.0.2.2 0.0.0.0 area 1
network 10.0.2.0 0.0.0.3 area 1
network 10.0.99.0 0.0.0.15 area 1
network 10.100.0.1 0.0.0.0 area 1
!
access-list 101 remark Route-map Internet Access List
access-list 101 remark Denying Tunnel Traffic
access-list 101 deny ip 10.100.0.0 0.0.0.255 10.60.0.0 0.0.0.255
access-list 101 deny ip 10.100.0.0 0.0.0.255 10.70.0.0 0.0.0.255
access-list 101 deny ip 10.100.0.0 0.0.0.255 10.80.0.0 0.0.0.255
access-list 101 remark Permitting Local Subnet Traffic
access-list 101 permit ip 10.0.1.0 0.0.0.3 any
!
route-map nonat permit 10
description NAT Route-Map
match ip address 101
!
---------------------------------------------------------------------------------------------------------
3G Spoke
---------------------------------------------------------------------------------------------------------
!
chat-script connect "" "ATDT*98*1#" TIMEOUT 30 CONNECT
!
!
!
controller Cellular 0/0
!
ip tcp synwait-time 10
ip ssh source-interface Loopback0
ip ssh logging events
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key <removed> address <removed>
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 60
!
crypto ipsec transform-set ESP-SHA-HMAC-AES-256-VPN esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-SHA-HMAC-AES-256-DMVPN esp-aes 256 esp-sha-hmac
mode transport
!
!
crypto ipsec profile dmvpn
description Dynamic Multi-Point VPN IPSEC Policy
set transform-set ESP-SHA-HMAC-AES-256-DMVPN
set pfs group5
!
!
interface Loopback0
description --- Loopback ---
ip address 10.70.0.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface Tunnel0
description --- Tunnel to DD-CR-GLENORIE ---$FW_INSIDE$
ip address 10.0.0.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip flow egress
ip nhrp authentication dmvpn
ip nhrp map 10.0.0.1 <removed>
ip nhrp map multicast <removed>
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip virtual-reassembly in
no ip route-cache cef
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 10000
ip ospf 1 area 1
mpls ip
cdp enable
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpn
!
interface Cellular0/0/0
bandwidth 5760
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
no ip route-cache cef
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
!
interface Cellular0/0/1
no ip address
encapsulation ppp
!
interface Dialer0
bandwidth 5760
ip address negotiated
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect FireWall out
ip virtual-reassembly in
encapsulation ppp
no ip route-cache cef
dialer pool 1
dialer idle-timeout 0
dialer string connect
dialer persistent
dialer-group 1
keepalive 10 3
ppp authentication chap pap callin
ppp chap hostname dummy
ppp chap password 7 050F13022C55
no cdp enable
!
router ospf 1
router-id 10.70.0.1
log-adjacency-changes detail
network 10.0.0.0 0.0.0.255 area 1
network 10.0.70.1 0.0.0.0 area 1
network 10.0.70.0 0.0.0.3 area 1
network 10.0.77.0 0.0.0.15 area 1
network 10.70.0.1 0.0.0.0 area 1
!
ip forward-protocol nd
ip http server
ip http access-class 1
no ip http secure-server
!
!
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip tacacs source-interface Loopback0
!
access-list 100 remark Original External Ports Access List
access-list 100 permit udp host <removed> any eq non500-isakmp
access-list 100 permit udp host <removed> any eq isakmp
access-list 100 permit esp host <removed> any
access-list 100 permit ahp host <removed> any
access-list 100 permit gre host <removed> any
access-list 100 permit icmp host <removed> any
access-list 100 permit ospf host <removed> any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip any any log
access-list 101 remark Route-map Internet Access List
access-list 101 remark Denying Tunnel Traffic
access-list 101 deny ip 10.70.0.0 0.0.0.255 10.60.0.0 0.0.0.255
access-list 101 deny ip 10.70.0.0 0.0.0.255 10.80.0.0 0.0.0.255
access-list 101 deny ip 10.70.0.0 0.0.0.255 10.100.0.0 0.0.0.255
access-list 101 remark Permitting Local Subnet Traffic
access-list 101 permit ip 10.0.70.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 1
description Net Traffic Route-Map
match ip address 101
01-20-2012 07:56 AM
Try a continuous ping to see if there are connectivity blankouts.
01-21-2012 02:38 PM
yes there are,
also when ever I try to do anything intensive like copy a file to the server at that location , it times out completely and the tunnel drops, it does come back ospf has to relearn the routes again and then we are back to square one.
it strange,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide