cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5572
Views
0
Helpful
40
Replies

Issue with DMVPN with Spook having DYNAMIC ip

manzeel
Level 1
Level 1

Dear Team,

I have configured DMVPN between HUB and Spook with spook having Dynamic ip (Nat behind local ADSL Router with dynamic ip). I have used OSPF as routing protocol.  My DMVPN is also up, route is advertised in OSPF. I am able to ping lan IP configured in HUB Router (Cisco 2911). All traffic from spook is send to HUB. I have send my default route from HUB to My upstream Firewall (fortigate or  Sophos) to access my core services as well for Internet.

 

Now my main Problem is,

  1. I am not able to ping or access any services from Spook to the server and services hosted in my upstream firewall (Sophos and Fortigate).
  2. But there is no any issue with Other Spook having fixed public ip or Intranet ip.
  3. I have done trace from branch for server/services hosted in Firewall for which traffic get stuck in my HUB tunnel. Same is for trace report from firewall while performing trace.
  4. In firewall I can see request coming from spook and response is getting back moreover there is packet number both for incap & decap get increased too in spook.

 

However despite all thing branch is not able to access any services or access internet hosted in or behind HUB firewall.

 

Your assistance to resolve this issue will be appreciated.

 

Thanks in advance

 

40 Replies 40

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

As soon as you have your Nat and dmvpn is fully up (nhrp, crypto and dynamic routing is up) you shouldn't have any issue. The difference between fix wan and dynamic wan ip is just for building up the tunnel but after there's nothing different.

 

Do you have all route advertised and received for this spoke on the spoke side and hub side?

Can you share some outputs like:

- sh dmvpn

- sh ip ospf neig

- sh ip route

- traceroute

 

Please give outputs for spoke and hub and attach them to a text file you'll upload on this post


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

Please find attached as requested.

Hello Francesco,

Please find attached as requested.

Can you do on your router called host.baitedi.com a show ip route 192.168.0.10?
On your hub, can you do show ip route 192.168.120.254?
What's the ip 172.31.140.1?

Please share your outputs.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

There is no route advertise for 192.168.0.10 in spook as 192.168.0.10 is on firewall branch can access 0.10 by using default route advertise from HUB router. Moreover 192.168.0.10 is just a example.since all traffic from spook is send to HUB due to which internal hosted servers/services as well access to internet is also from HUB too. 172.31.140.1 is tunnel ip of HUB and 172.31.141.74 is tunnel ip of spook.

Ok you're saying that you have a default route announced by your hub ? If so that's fine, all traffic will go to your HUB.
We saw at the hub, it has the route for going back to your spoke but what about your firewall? Can you check if it knows how to go back? Can you ping your spoke when sitting behind your firewall?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

There is no ping from Firewall. Moreover, i performed trace from firewall to Branch for which trace get stuck at router(Hub) itself.

Hello,

 

post the full configs of your hub and spoke routers...

Hello Georg,

Please find attached file as requested.

Hello,

 

I'll lab this in GNS3...

 

In the meantime, on your spoke , try to configure your tunnel as ospf point-to-point...

 

interface Tunnel140
description ***Wordlink L3 Tunnel**
bandwidth 3000
ip address 172.31.140.74 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 123456
ip nhrp map 172.31.140.1 202.166.xxx.50
ip nhrp network-id 140140
ip nhrp holdtime 360
ip nhrp nhs 172.31.140.1
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip policy route-map clear-df-bit
ip ospf network point-to-point
ip ospf hello-interval 5
tunnel source Vlan20
tunnel mode gre multipoint
tunnel key 140140
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN_PROFILE

Hello,

 

I might be missing something, but I cannot see interface (Vlan 20) on the spoke router with an IP address. Where is your LAN, and what IP address space do you use for your LAN ?

Hello Georg,

Vlan 20 will receive ip from local dhcp server and Loopback0 with ip address 192.168.120.254 is used as test lan branch network.

Hello,

 

change the route on your spoke from:

 

ip route 202.166.XXX.50 255.255.255.248 10.0.1.2

 

to:

 

ip route 202.166.XXX.50 255.255.255.248 vlan20 dhcp

Hello georg,

I have changed route in spook as suggested but still the same. Beside As per your suggestion in tunnel interface, i have added "ip ospf network point-to-point". Adding point-point in tunnel immediately brings down the ospf neighboor and ospf state went to "init". so i added static route both in spook as well as in Hub to reach other through tunnel iip but issue still the same. 

Review Cisco Networking for a $25 gift card