Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
5
Helpful
4
Replies

gre DMVPN 2 tunnels, 1 works one does not

Michael Durham
Level 4
Level 4

‎01-27-2020 06:20 PM

I have a hub router and two spoke routers, and I am having an issue with the VPN working between one spoke and the hub.  The hub (a 3925 router) and spoke CME (a 3925 router) works PERFECTLY!  But the hub to the other spoke WebTest does not work yet I am copying the code from CME spoke so it should work.  All routers are running IOS 15.7 and all have the security license installed.  I have attached trimmed down configs from all three routers and some test results from each too.

I am getting this error when WebTEST tries to connect to the hub:

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.69.253 failed its sanity check or is malformed

What debug command should I run?  What should I look for?

Labels:
Preview file
5 KB
Preview file
4 KB
Preview file
5 KB
Preview file
3 KB
Preview file
3 KB
Preview file
3 KB
0 Helpful
4 Replies 4

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-27-2020 06:30 PM

Hi,

 

I notice that there is mismatch in NHRP Authentication on TestWeb Router.

 

On Hub and CME , you have "ip nhrp authentication Cisco" while on TestWeb you have "ip nhrp authentication R3m0t3PS" under tunnel1 interfaces. Can you change it to Cisco on Testweb to match with every one ?

Deepak Kumar
VIP Alumni
VIP Alumni

‎01-28-2020 12:42 AM

Hi,

NHRP authentication is miss matching as:

On HUB Router:

 

 interface Tunnel1
description mGRE - DMVPN Tunnel for customer remote support
ip address 172.16.0.1 255.255.0.0
no ip redirects
ip nhrp authentication Cisco
ip nhrp network-id 479

 

On Spoke Router:

 

interface Tunnel1
description DMVPN mGRE tunnel to support
ip address 172.16.1.55 255.255.0.0
no ip redirects
ip nhrp authentication R3m0t3PS
ip nhrp map 172.16.0.1 12.4.2.5
ip nhrp map multicast 12.4.2.5
ip nhrp network-id 479

 

You have to make change the NHRP authentication on the Spoke as:

 

interface Tunnel1
description DMVPN mGRE tunnel to support
ip address 172.16.1.55 255.255.0.0
no ip redirects
ip nhrp authentication Cisco
ip nhrp map 172.16.0.1 12.4.2.5
ip nhrp map multicast 12.4.2.5
ip nhrp network-id 479

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

paul driver
VIP
VIP

‎01-28-2020 02:20 AM

Hello

Just like to add to the other comments, 

Both spokes DMVPN tunnels are adminstrative down, both have the duplicate loopback1 addressing and both have a default static route thats incorrect.

 

The default route should read:
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Michael Durham
Level 4
Level 4
In response to paul driver

‎01-28-2020 07:10 AM

The ip nhrp authentication settings were/are correct.  I just forgot to change it on the printout.

Neither spoke routers are administratively down.  

HUB -->  SPOKE CME is working

HUB --> SPOKE WebTEST is NOT working

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card