cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5549
Views
0
Helpful
40
Replies

Issue with DMVPN with Spook having DYNAMIC ip

manzeel
Level 1
Level 1

Dear Team,

I have configured DMVPN between HUB and Spook with spook having Dynamic ip (Nat behind local ADSL Router with dynamic ip). I have used OSPF as routing protocol.  My DMVPN is also up, route is advertised in OSPF. I am able to ping lan IP configured in HUB Router (Cisco 2911). All traffic from spook is send to HUB. I have send my default route from HUB to My upstream Firewall (fortigate or  Sophos) to access my core services as well for Internet.

 

Now my main Problem is,

  1. I am not able to ping or access any services from Spook to the server and services hosted in my upstream firewall (Sophos and Fortigate).
  2. But there is no any issue with Other Spook having fixed public ip or Intranet ip.
  3. I have done trace from branch for server/services hosted in Firewall for which traffic get stuck in my HUB tunnel. Same is for trace report from firewall while performing trace.
  4. In firewall I can see request coming from spook and response is getting back moreover there is packet number both for incap & decap get increased too in spook.

 

However despite all thing branch is not able to access any services or access internet hosted in or behind HUB firewall.

 

Your assistance to resolve this issue will be appreciated.

 

Thanks in advance

 

40 Replies 40

Hello,

 

odd. Can you post the configuration of a spoke with a static IP address, that is, a working spoke ?

Hello Georg,

Please find attached config as requested.

Hi

Is your spoke up?
What is the route-map clear-df-bit?

If your ospf is up on this non working spoke, can you run a debug ospf and bring the ospf peeing down and up?
Then please attach to a text file your debug.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Georg,

Yes spook is up,
route-map clear-df-bit is used to clear ip fragmentation using acl. Attached here is debug file 

Hello,

 

your tunnel source (Vlan20) is a private address which is then (I assume) NATted by the ADSL router ? 

What if you annouce the 10.x.x.x network in OSPF ?

 

network 10.0.0.0 0.0.0.255 area 0

Hello,

tunnel Source vlan 20 is nat by adsl router. as suggested i advertise 10.0.0.0 0.0.0.255 in ospf at spook router.

Hello,

 

is it possible to put the ADSL router in bridge mode, making your Vlan 20 interface the outside interface receiving a public address ?

Hello Georg,

I have used USB internet dongle in this remote branch due to which i am not sure i can able to bridge . 

Nat shouldn't be an issue.

Can you send actual configs from hub and your non working spoke please? I'll lab it and come back quick to you

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

Please find attached config as requested.

Can you remove from spoke the following command in ospf:
timers throttle spf 5 10000 80000

Don't know why you had such high value? didn't noticed it before.
I've tested quickly in lab and when I use something less agressive like timers throttle spf 5 10 60, I can reach what ever I want on hub side. You can remove it from the spoke to test as well. If you don't have lot of events such as link flapping, you can disable it. In my lab I tested without this config and with the config I gave on the spoke, didn't touch the hub.
I'm sorry I had few minutes to test your real config today (crazy week before vacations :-) )

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

i have change the time throttle value as you mentioned to 5 10 60 and also completely removed from both HUB and Spook but still the same. not able to reach Network Behind the hub device.

Ok now that's weird.

Can you shutdown the tunnel interface on some router, clear nat from upstream devices (if can't, reload that device or at least wait few minutes and no shut the tunnel interface).

 

Once everything is up, share following outputs:

- sh dmvpn

- sh ip ospf neigh 

- sh ip opsf int tu140

- sh ip route

- sh ip protocols

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello  Francesco, Sorry for late reply,

Please find attached as requested.

Hello ,

Remaining attached,

Review Cisco Networking for a $25 gift card