cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5291
Views
0
Helpful
40
Replies

Issue with DMVPN with Spook having DYNAMIC ip

manzeel
Level 1
Level 1

Dear Team,

I have configured DMVPN between HUB and Spook with spook having Dynamic ip (Nat behind local ADSL Router with dynamic ip). I have used OSPF as routing protocol.  My DMVPN is also up, route is advertised in OSPF. I am able to ping lan IP configured in HUB Router (Cisco 2911). All traffic from spook is send to HUB. I have send my default route from HUB to My upstream Firewall (fortigate or  Sophos) to access my core services as well for Internet.

 

Now my main Problem is,

  1. I am not able to ping or access any services from Spook to the server and services hosted in my upstream firewall (Sophos and Fortigate).
  2. But there is no any issue with Other Spook having fixed public ip or Intranet ip.
  3. I have done trace from branch for server/services hosted in Firewall for which traffic get stuck in my HUB tunnel. Same is for trace report from firewall while performing trace.
  4. In firewall I can see request coming from spook and response is getting back moreover there is packet number both for incap & decap get increased too in spook.

 

However despite all thing branch is not able to access any services or access internet hosted in or behind HUB firewall.

 

Your assistance to resolve this issue will be appreciated.

 

Thanks in advance

 

40 Replies 40

What networks are you trying to reach from the spoke?
Do you have routes for these networks on the spoke?
Do you have route on the spoke for 172.28.1.0?
Can you ping from the spoke "ping 172.28.1.1 source 192.168.120.254"

Hello Alekseev,

1.I have advertise default route from Spook towards hub and need to reach services/server hosted in my upstream firewall and also need to access internet from Hub only by Spook. 

2. Spook is able to ping to all the local interface ip hosted in HUB router but not able to ping or access behind the service of HUB and Hub has also default router towards upstream firewall (172.28.1.2.

3. I am able to ping interface ip (172.28.1.1) that of HUB as well as upstream firewall interface ip(172.28.1.2) from all other branch with static ip but i am not able to ping upstream firewall ip from spook with dynamic ip through DMVPN.

 

Show the outputs from the spoke
ping 172.28.1.1 source 192.168.120.254
ping 172.28.1.2 source 192.168.120.254

Hello ,

Please find attached as requested 

So check your firewall (172.28.1.2)
Does it have route for 192.168.120.254?

There is route from firewall to 192.168.120.0/24 network to. Beside when i performed trace to servers hosted in my upstream firewall, Traffic get stuck in HUB only . Same is goes from firewall while performing trace to 192.168.120.0/24 which get stuck in HUB only. But route is advertise at HUB for spook lan network and able to ping to spook only from HUB local interface ip.

let's check

on the HUB
interface GigabitEthernet0/2
ip flow ingress
ip flow egress

on the SPOKE
ping 172.28.1.2 source 192.168.120.254 repeat 1000

and on the HUB (when the spoke is pinging)
sh ip cache flow | i 172.28.1.2

Hello Alekseev,

i added the config in my interface at Hub & please find attached output as suggested 

on the SPOKE
interface Tun140
ip flow ingress
ip flow egress

open another telnet/ssh session to the SPOKE and run
ping 172.28.1.2 source 192.168.120.254 repeat 1000

and on the SPOKE (when the spoke is pinging)
sh ip cache flow | i 172.28.1.2

Hello ,

please find attached output as suggested

show all the information about this crypto map on the HUB
> crypto map mfl-map(for IPsec VPN for other branch)

or if it possible, try to remove it for a while and check the pings
SPOKE#ping 172.28.1.2 source 192.168.120.254 repeat 1000
Review Cisco Networking for a $25 gift card