06-28-2018 08:25 PM - edited 03-05-2019 10:41 AM
Dear Team,
I have configured DMVPN between HUB and Spook with spook having Dynamic ip (Nat behind local ADSL Router with dynamic ip). I have used OSPF as routing protocol. My DMVPN is also up, route is advertised in OSPF. I am able to ping lan IP configured in HUB Router (Cisco 2911). All traffic from spook is send to HUB. I have send my default route from HUB to My upstream Firewall (fortigate or Sophos) to access my core services as well for Internet.
Now my main Problem is,
However despite all thing branch is not able to access any services or access internet hosted in or behind HUB firewall.
Your assistance to resolve this issue will be appreciated.
Thanks in advance
06-28-2018 08:43 PM
Hi
As soon as you have your Nat and dmvpn is fully up (nhrp, crypto and dynamic routing is up) you shouldn't have any issue. The difference between fix wan and dynamic wan ip is just for building up the tunnel but after there's nothing different.
Do you have all route advertised and received for this spoke on the spoke side and hub side?
Can you share some outputs like:
- sh dmvpn
- sh ip ospf neig
- sh ip route
- traceroute
Please give outputs for spoke and hub and attach them to a text file you'll upload on this post
06-28-2018 09:00 PM
06-28-2018 09:00 PM
06-28-2018 09:09 PM
06-28-2018 10:00 PM
Hello Francesco,
There is no route advertise for 192.168.0.10 in spook as 192.168.0.10 is on firewall branch can access 0.10 by using default route advertise from HUB router. Moreover 192.168.0.10 is just a example.since all traffic from spook is send to HUB due to which internal hosted servers/services as well access to internet is also from HUB too. 172.31.140.1 is tunnel ip of HUB and 172.31.141.74 is tunnel ip of spook.
06-30-2018 09:52 AM
06-30-2018 09:47 PM
Hello Francesco,
There is no ping from Firewall. Moreover, i performed trace from firewall to Branch for which trace get stuck at router(Hub) itself.
07-01-2018 01:10 AM
Hello,
post the full configs of your hub and spoke routers...
07-01-2018 02:04 AM
07-01-2018 04:25 AM
Hello,
I'll lab this in GNS3...
In the meantime, on your spoke , try to configure your tunnel as ospf point-to-point...
interface Tunnel140
description ***Wordlink L3 Tunnel**
bandwidth 3000
ip address 172.31.140.74 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 123456
ip nhrp map 172.31.140.1 202.166.xxx.50
ip nhrp network-id 140140
ip nhrp holdtime 360
ip nhrp nhs 172.31.140.1
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip policy route-map clear-df-bit
ip ospf network point-to-point
ip ospf hello-interval 5
tunnel source Vlan20
tunnel mode gre multipoint
tunnel key 140140
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN_PROFILE
07-01-2018 06:33 AM
Hello,
I might be missing something, but I cannot see interface (Vlan 20) on the spoke router with an IP address. Where is your LAN, and what IP address space do you use for your LAN ?
07-01-2018 09:55 AM
Hello Georg,
Vlan 20 will receive ip from local dhcp server and Loopback0 with ip address 192.168.120.254 is used as test lan branch network.
07-01-2018 02:28 PM
Hello,
change the route on your spoke from:
ip route 202.166.XXX.50 255.255.255.248 10.0.1.2
to:
ip route 202.166.XXX.50 255.255.255.248 vlan20 dhcp
07-01-2018 08:38 PM
Hello georg,
I have changed route in spook as suggested but still the same. Beside As per your suggestion in tunnel interface, i have added "ip ospf network point-to-point". Adding point-point in tunnel immediately brings down the ospf neighboor and ospf state went to "init". so i added static route both in spook as well as in Hub to reach other through tunnel iip but issue still the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide