07-24-2019 06:30 AM
HI all,
So, I am configuring a failover DMVPN with IPSec. Everything works fine. However when I go to configure the ipsec profile for the second tunnel on the branch (Spoke router), I get the error below:
"Branch1(config-if)#tunnel protection ipsec profile cisco shared
Error: All interfaces sharing this IPSec profile must be configured using the 'shared' keyword'.
Eg: tunnel protection ipsec profile foo shared
"
Please can anyone help?
See config below please
Building configuration...
Current configuration : 2295 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Branch1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.20.1
ip nhrp map multicast 209.168.20.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.2.1 199.200.50.1
ip nhrp map multicast 199.200.50.1
ip nhrp network-id 2
ip nhrp nhs 192.168.2.1
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 1
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface POS1/0
ip address 209.168.21.1 255.255.255.252
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
!
router eigrp 123
network 4.4.4.0 0.0.0.255
network 192.168.1.0
network 209.168.21.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.21.2
ip route 3.3.3.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
Solved! Go to Solution.
07-31-2019 07:03 PM
If you look at the information from the capture, you'll notice that the source and destination protocol addresses are the same address. This indicates that your IP address at your spoke is the same as at your Hub. Change your Spoke's address and your tunnel should come up.
You do need shortcut at your Branch sites, just not usually on your hub routers. You need redirect on your hub routers. When traffic hits your hub router, and is switched back into your DMVPN cloud (like if the traffic is going to your other Branch site), the Hub will send a redirect message to your Branch router. This lets the originating Branch site to know a more direct path exists. The shortcut is what the originating Spoke will send towards the destination. In the shortcut message, the spoke will insert its reachability information directly in the packet.
The following article is one of my favorites for DMVPN's spoke-to-spoke behavior: https://blog.ine.com/2008/12/23/dmvpn-phase-3
07-24-2019 06:44 AM - edited 07-24-2019 06:49 AM
Hi,
You need to apply the "shared" keyword to the IPSec profile on both Tunnel0 and Tunnel1
interface tunnel0
tunnel protection ipsec profile cisco shared
interface tunnel1
tunnel protection ipsec profile cisco shared
HTH
07-24-2019 02:47 PM
07-25-2019 12:35 AM - edited 07-25-2019 12:39 AM
I've noticed you are using a different tunnel source interface for the tunnels. All tunnels with the same tunnel source interface must use the same IPsec profile and the shared keyword with the tunnel protection command.
Create a 2nd IPSec profile and attach that to one of the tunnels.
EDIT: It looks like you've modified the source interfaces from the original post. Check POS1/0 (Tunnel0) and POS6/0 (Tunnel1) are the correct source interfaces.
HTH
07-25-2019 04:00 AM
07-25-2019 04:33 AM
Hello,
on the hub, add the line in bold to your tunnel configurations:
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 123
no ip next-hop-self eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
tunnel source POS6/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
07-25-2019 01:35 PM
07-25-2019 02:57 PM
Hello,
have a look at the complete configs I out together (important parts marked in bold). Make sure yours look identical:
Branch
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Branch1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
no ip next-hop-self eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.20.1
ip nhrp map multicast 209.168.20.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp holdtime 60
ip nhrp shortcut
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco shared
!
interface Tunnel1
ip address 192.168.2.2 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
no ip next-hop-self eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.2.1 199.200.50.1
ip nhrp map multicast 199.200.50.1
ip nhrp network-id 2
ip nhrp nhs 192.168.2.1
ip nhrp holdtime 60
ip nhrp shortcut
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco shared
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface POS1/0
ip address 209.168.21.1 255.255.255.252
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
router eigrp 123
network 4.4.4.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
network 209.168.21.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.21.2
ip route 3.3.3.0 255.255.255.0 Tunnel0
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
--------------
Hub
HeadQ
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HeadQ
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool pool1
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
track 1 ip sla 30 reachability
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
no ip split-horizon eigrp 123
no ip next-hop-self eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp shortcut
ip nhrp redirect
tunnel source POS6/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
duplex full
!
interface POS1/0
ip address 209.168.20.1 255.255.255.252
ip nat outside
shutdown
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface POS6/0
ip address 199.200.50.1 255.255.255.0
ip nat outside
!
!
router eigrp 123
network 1.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip nat inside source route-map NAT_01 interface POS1/0 overload
ip nat inside source route-map NAT_02 interface POS6/0 overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.20.2 track 1
ip route 0.0.0.0 0.0.0.0 209.168.20.2
ip route 0.0.0.0 0.0.0.0 199.200.50.2 2
ip route 209.168.21.0 255.255.255.252 209.168.20.2
ip route 209.168.22.0 255.255.255.252 209.168.20.2
ip route 209.168.23.0 255.255.255.252 209.168.20.2
!
ip access-list standard ACL_Dnat
permit 192.168.3.0 0.0.0.255
!
ip sla 30
icmp-echo 209.168.20.2 source-interface POS1/0
threshold 1000
timeout 1000
frequency 10
ip sla schedule 30 life forever start-time now
!
route-map NAT_01 permit 10
match ip address ACL_Dnat
match interface POS1/0
!
route-map NAT_02 permit 10
match ip address ACL_Dnat
match interface POS6/0
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end
07-28-2019 08:52 AM
Hi George,
Looks like I might have broken something while trying to apply the fix you gave me.
I cannot even ping my tunnel 0 routes now ( Meaning, I cannot ping 4.4.4.4 (Branch route) from Head q.
Am I missing something here?
+++++++
HQ:
HeadQ(config-if)#
HeadQ(config-if)#do sh run
Building configuration...
Current configuration : 3341 bytes
!
! Last configuration change at 01:36:27 UTC Mon Jul 29 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HeadQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool pool1
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 ip sla 30 reachability
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 90
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 123
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
shutdown
tunnel source POS6/0
tunnel mode gre multipoint
tunnel key 1
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
duplex full
!
interface POS1/0
ip address 209.168.20.1 255.255.255.252
ip nat outside
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface POS6/0
ip address 199.200.50.1 255.255.255.0
ip nat outside
!
!
router eigrp 123
network 1.0.0.0
network 1.1.1.0 0.0.0.255
network 192.168.1.0
network 192.168.3.0
!
ip nat inside source route-map NAT_01 interface POS1/0 overload
ip nat inside source route-map NAT_02 interface POS6/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.20.2 track 1
ip route 0.0.0.0 0.0.0.0 209.168.20.2
ip route 0.0.0.0 0.0.0.0 199.200.50.2 2
ip route 209.168.21.0 255.255.255.252 209.168.20.2
ip route 209.168.22.0 255.255.255.252 209.168.20.2
ip route 209.168.23.0 255.255.255.252 209.168.20.2
!
ip access-list standard ACL_Dnat
permit 192.168.3.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
!
ip sla 30
icmp-echo 209.168.20.2 source-interface POS1/0
threshold 1000
timeout 1000
frequency 10
ip sla schedule 30 life forever start-time now
!
route-map NAT_01 permit 10
match ip address ACL_Dnat
match interface POS1/0
!
route-map NAT_02 permit 10
match ip address ACL_Dnat
match interface POS6/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
++++++++++++++++
Branch
Branch1(config-if)#do sh run
Building configuration...
Current configuration : 2367 bytes
!
! Last configuration change at 15:50:28 UTC Sun Jul 28 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Branch1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.20.1
ip nhrp map multicast 209.168.20.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.2.1 199.200.50.1
ip nhrp map multicast 199.200.50.1
ip nhrp network-id 2
ip nhrp nhs 192.168.2.1
shutdown
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 1
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface POS1/0
ip address 209.168.21.1 255.255.255.252
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
!
router eigrp 123
network 4.4.4.0 0.0.0.255
network 192.168.1.0
network 209.168.21.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.21.2
ip route 3.3.3.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
07-28-2019 10:02 AM
You don't want to mix Phase2 and Phase3 on the same tunnel (or in the same DMVPN Cloud). It can cause runaway NHRP processes. Luckily, it's rate limited by default to prevent a disaster.
Let's remove all of the Phase2 and Phase3 stuff since that is not going to impact basic reachability, only the ability to, and how we build spoke-to-spoke tunnels. Remove "ip nhrp shortcut" and "ip nhrp redirect" from all tunnels. Put all tunnels back to their normal Next-hop-self behavior: "ip next-hop-self eig 123..
Now, verify reachability. Ping on your underlay from your branch site, make sure you can reach the NBMA address for your hub routers. Ping "209.168.20.1" and "199.200.50.1".
If you can ping those, ping the tunnel IPs of the Hub. Ping "192.168.1.1" and "192.168.2.1".
If you can ping those, your IPSec config and DMVPN config are fine, and you need to fix your routing protocol. Right now, you're missing the network statement for Tunnel1 on both the Hub and Spoke. You also have the wrong AS configured in your "no split horizon" config on Tunnel0 at your hub.
If you can't ping the tunnel IPs, then either DMVPN or IPSec is having an issue. Post the results of the following commands: "show cry is sa" "show dmvpn".
07-28-2019 08:46 PM
Hi rclairdg,
Thanks so much for pointing out those troubleshooting steps.
After I restarted the Hub router, I can now ping the first tunnel(192.68.1.1) and private addresses behind it (1.1.1.1/192.168.3.0/24), to the hub and vice versa.
However the original issue still remains, when I shut down the main link P1/0 on the Hub (Headq), the DMVPN is not failing-over to the second tunnel. Would this be network design issue? I know something is definitely amiss with the dmvpn or ipsec.
Please config below as requested:
HQ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HeadQ(config)#do sh crypto is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
209.168.20.1 209.168.21.1 QM_IDLE 1014 ACTIVE
209.168.20.1 209.168.21.1 MM_NO_STATE 1009 ACTIVE (deleted)
199.200.50.1 209.168.21.1 QM_IDLE 1012 ACTIVE
209.168.20.1 209.168.22.1 QM_IDLE 1013 ACTIVE
209.168.20.1 209.168.22.1 MM_NO_STATE 1010 ACTIVE (deleted)
HeadQ(config)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 209.168.21.1 192.168.1.2 UP 00:00:14 D
1 209.168.22.1 192.168.1.3 UP 00:00:19 D
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 209.168.21.1 192.168.2.2 UP 00:33:33 D
++++++++++++++++++++++++++++++++++++++++++++
Branch 1
Branch1(config-if)#do sh crypto is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
199.200.50.1 209.168.21.1 QM_IDLE 1010 ACTIVE
209.168.20.1 209.168.21.1 QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP SA
ranch1(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 209.168.20.1 192.168.1.1 UP 00:03:36 S
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 199.200.50.1 192.168.2.1 NHRP 00:28:30 S
Please let me know if you need anything else.
Regards
07-28-2019 08:53 PM
07-28-2019 11:09 PM
Your diagram looked to be from GNS3, before we go too crazy, please verify that this is in a lab. If this is all lab right now, then we'll get this sorted.
Not sure if you corrected this yet, but make sure you add a network statement covering Tunnel1 under your EIGRP process for each router. Your tunnel isn't up yet, but you'll want this for your failover to work appropriately.
Based on the output of your "show dmvpn" command, the Hub is receiving the NHRP registration from your Branch1 router. This registration is learned dynamically and is showing as UP. If you notice that on your spoke router, the NHRP mapping towards your Hub is showing as NHRP instead of UP, this will give us an indication of what's happening. If you were having specific issues with IPSec, it would show as IKE. So we're clean going from the Spoke to the Hub, but we're having an issue when the Hub replies to that registration.
So let's think about this, from your Branch1, you send out your NHRP registration via the static default you've configured. It arrives into the POS interface sourcing Tunnel1 at your Hub. We're good up to this point, which we know from your "show dmvpn" output. So now, we want traffic to exit back out the POS interface sourcing Tunnel1, but it's not happening.
Your config changed several times throughout your posting, so make sure you've "no shut" all tunnels and POS interfaces. Now, at your Hub router, shutdown POS1/0, save the config on your Hub and Branch1 routers, and reboot both. You should notice something interesting, and now Tunnel1 is showing as UP for both the Hub and Branch in "show dmvpn". EIGRP will even be up if you've corrected the network statements.
If it does not come up after this, paste the current configs for both The Hub and Branch1, and we'll see where you're at.
07-30-2019 04:18 PM
Hi rclaridg,
Thanks so much again.
Yes we are definetly running this on Gns3.
Please see config below:
++++++++++++++++++++++++++++++++++++++++++++
Head Q
HeadQ(config)#do sh run
Building configuration...
Current configuration : 3557 bytes
!
! Last configuration change at 15:48:29 UTC Tue Jul 30 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HeadQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool pool1
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 ip sla 30 reachability
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
crypto ipsec profile cisco1
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 90
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp shortcut
tunnel source POS6/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
duplex full
!
interface POS1/0
ip address 209.168.20.1 255.255.255.252
ip nat outside
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface POS6/0
ip address 199.200.50.1 255.255.255.0
ip nat outside
!
!
router eigrp 123
network 1.0.0.0
network 1.1.1.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip nat inside source route-map NAT_01 interface POS1/0 overload
ip nat inside source route-map NAT_02 interface POS6/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.20.2 track 1
ip route 0.0.0.0 0.0.0.0 199.200.50.2 2
ip route 209.168.21.0 255.255.255.252 209.168.20.2
ip route 209.168.21.0 255.255.255.252 199.200.50.2
ip route 209.168.22.0 255.255.255.252 209.168.20.2
ip route 209.168.23.0 255.255.255.252 209.168.20.2
!
ip access-list standard ACL_Dnat
permit 192.168.3.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 1.1.1.0 0.0.0.255
!
ip sla 30
icmp-echo 209.168.20.2 source-interface POS1/0
threshold 1000
timeout 1000
frequency 10
ip sla schedule 30 life forever start-time now
!
route-map NAT_01 permit 10
match ip address ACL_Dnat
match interface POS1/0
!
route-map NAT_02 permit 10
match ip address ACL_Dnat
match interface POS6/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Branch
Branch1(config)#do sh run
Building configuration...
Current configuration : 2487 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Branch1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.20.1
ip nhrp map multicast 209.168.20.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp shortcut
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco shared
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.2.1 199.200.50.1
ip nhrp map multicast 199.200.50.1
ip nhrp network-id 2
ip nhrp nhs 192.168.2.1
ip nhrp shortcut
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco shared
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface POS1/0
ip address 209.168.21.1 255.255.255.252
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
!
router eigrp 123
network 4.4.4.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
network 209.168.21.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.21.2
ip route 3.3.3.0 255.255.255.0 Tunnel0
ip route 209.168.20.0 255.255.255.252 209.168.21.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
07-30-2019 04:38 PM
Hi rclaridg,
Thanks so much again.
Yes we are definetly running this on Gns3.
Please see config below:
++++++++++++++++++++++++++++++++++++++++++++
Head Q
HeadQ(config)#do sh run
Building configuration...
Current configuration : 3557 bytes
!
! Last configuration change at 15:48:29 UTC Tue Jul 30 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HeadQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool pool1
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 ip sla 30 reachability
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
crypto ipsec profile cisco1
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 90
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp shortcut
tunnel source POS6/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
duplex full
!
interface POS1/0
ip address 209.168.20.1 255.255.255.252
ip nat outside
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface POS6/0
ip address 199.200.50.1 255.255.255.0
ip nat outside
!
!
router eigrp 123
network 1.0.0.0
network 1.1.1.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip nat inside source route-map NAT_01 interface POS1/0 overload
ip nat inside source route-map NAT_02 interface POS6/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.20.2 track 1
ip route 0.0.0.0 0.0.0.0 199.200.50.2 2
ip route 209.168.21.0 255.255.255.252 209.168.20.2
ip route 209.168.21.0 255.255.255.252 199.200.50.2
ip route 209.168.22.0 255.255.255.252 209.168.20.2
ip route 209.168.23.0 255.255.255.252 209.168.20.2
!
ip access-list standard ACL_Dnat
permit 192.168.3.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 1.1.1.0 0.0.0.255
!
ip sla 30
icmp-echo 209.168.20.2 source-interface POS1/0
threshold 1000
timeout 1000
frequency 10
ip sla schedule 30 life forever start-time now
!
route-map NAT_01 permit 10
match ip address ACL_Dnat
match interface POS1/0
!
route-map NAT_02 permit 10
match ip address ACL_Dnat
match interface POS6/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Branch
Branch1(config)#do sh run
Building configuration...
Current configuration : 2487 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Branch1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.20.1
ip nhrp map multicast 209.168.20.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp shortcut
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco shared
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip split-horizon eigrp 123
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.2.1 199.200.50.1
ip nhrp map multicast 199.200.50.1
ip nhrp network-id 2
ip nhrp nhs 192.168.2.1
ip nhrp shortcut
tunnel source POS1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco shared
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface POS1/0
ip address 209.168.21.1 255.255.255.252
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
!
router eigrp 123
network 4.4.4.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
network 209.168.21.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 209.168.21.2
ip route 3.3.3.0 255.255.255.0 Tunnel0
ip route 209.168.20.0 255.255.255.252 209.168.21.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: