Federico,

I got the problem when I try to ping the other side 10.0.0.2.

Here is the server side configuration:

interface Tunnel1

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1440

ip hold-time eigrp 90 120

ip nhrp authentication

ip nhrp map multicast dynamic

ip nhrp network-id 1

no ip split-horizon eigrp 90

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

Seems like you're missing this command on the spoke side:

ip nhrp map

Take a look at this link:

http://www.ciscocatalyst.info/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

Also, you don't have any IPsec profile associated wih the tunnel interfaces. Is this not a DMVPN scenario?

Federico.

Yes it's with IPSec, and I removed the profile to test the tunnel before.

Right now I have no problem with the encapsulation. And I still cannot ping, here is the both sides configuration of the tunnel:

HUB:

interface Tunnel1

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1440

ip hold-time eigrp 90 120

ip nhrp authentication

ip nhrp map multicast dynamic

ip nhrp network-id 1

no ip split-horizon eigrp 90

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

end

Spoke:

interface Tunnel1

ip address 10.0.0.2 255.255.255.0

no ip redirects

ip mtu 1440

ip hold-time eigrp 90 120

ip nhrp authentication

ip nhrp map 10.0.0.1

ip nhrp map multicast

ip nhrp network-id 1

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

end

NHRP is working fine now?
If the answer is yes, then most likey there are no L2 issues.
What about L3? (you cannot PING)
Are you pinging 10.0.0.1 from 10.0.0.2 (i mean making sure the source of the PING packet goes from 10.0.0.2?)

Please attach the output of the sh interface t1 on both units.

Federico.

I have the following output of the command debug nhrp packet (on the spoke):

*Mar  1 00:43:01.735: NHRP: No node found.

*Mar  1 00:43:01.739: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 1

*Mar  1 00:43:01.739: NHRP: Checking for delayed event 0.0.0.0/10.0.0.2 on list (Tunnel1).

*Mar  1 00:43:01.739: NHRP: No node found.

*Mar  1 00:43:01.747: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 1

*Mar  1 00:43:01.747: NHRP: Checking for delayed event 0.0.0.0/10.0.0.2 on list (Tunnel1).

*Mar  1 00:43:01.751: NHRP: No node found.

*Mar  1 00:43:01.751: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 1

*Mar  1 00:43:01.755: NHRP: Checking for delayed event 0.0.0.0/10.0.0.2 on list (Tunnel1).

*Mar  1 00:43:01.755: NHRP: No node found.

DMVPN-Branch#sh ip nhrp

10.0.0.1/32 via 10.0.0.1, Tunnel1 created 00:41:08, never expire

  Type: static, Flags: authoritative used

  NBMA address:

10.0.0.2/32, Tunnel1 created 00:01:03, expire 00:02:01

  Type: incomplete, Flags: negative

  Cache hits: 2

Do you think that NAT is doing something wrong right here?

Here is the map of our topology:

Hub router (public IP) ||---|| WAN Router ||---||-------Internet-----------||---|| NAT router ||---|| (private IP) Spoke router

Any suggestion?

You're not NATing the tunnel IP address are you?

What is the output of the ''sh interface tunnel 1''

Do you see on the Hub and arp entry for the spoke (through the tunnel interface)?

Federico.

Here is the show interface tunnel 1:

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 10.0.0.1/24

  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source (FastEthernet0/0), destination UNKNOWN

  Tunnel protocol/transport multi-GRE/IP

    Key 0x0, sequencing disabled

    Checksumming of packets disabled

  Tunnel TTL 255

  Fast tunneling enabled

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Last input 00:00:01, output 00:00:01, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     482 packets input, 43244 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     471 packets output, 43860 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

The output seems to be OK. But there is no ARP entry for the spoke!!

As a side note you might want to change the bandwidth on the tunnel interface from the default 9 Kbit.

Is the NAT router NATing the tunnel IP of the spoke router?

Federico.

Hi,

Yes, the router on the spoke is doing NAT, as the router is connected as a host in an internal router. For the final solution it will not in the same case, but still behinde a router that's doing NATting.

Also, both sides (hub and spoke) are doing NAT for internet traffic at the same time. And there is exception (ACL deny for the traffic between the two sides). The hub router is in production, but the spoke is not, so there is no NAT in it for the moment.

For changing the BW, it's OK. But I think that's not causing a problem at this point. right?

Regards,

Omar

The bandwidth should not be causing this problem correct. (just to keep in mind).

The tunnel should be established between Hub & Spoke, so the tunnel's IP should not be NATed.

Do you see a translation for the IPs of the tunnel (10.0.0.1 and 10.0.0.2) on the NAT router?

You can check with the command ''sh ip nat translation''

Federico.

No Federico,

There is not translation on the HUB router to the other side.

The ip nat outside is only on the inside and the physical outside interface.

On the spoke router, the show interface tunnel 1 doesn't show inputs.