09-09-2010 03:07 AM - edited 03-04-2019 09:42 AM
Hi
I have been using p2p GRE tunnels to connect remote sites to head office for some time. These have allowed us to run OSPF and Multicast. I've started to get a little fed up of having to configure new tunnel interfaces every time we add a new site - and the need for fixed IP addresses. So I've been doing some testing with DMVPN using NHRP and mGRE.
I'm having a problem with the hub sending and receiving NHRP. For troubleshooting I have taken off all the crypto stuff.
HUB
! |
interface Tunnel248 |
description *** DMVPN over mGRE - Cloud 1 *** |
ip address 172.16.248.254 255.255.255.0 |
no ip redirects |
no ip proxy-arp |
ip mtu 1400 |
ip pim query-interval 10 |
ip pim sparse-dense-mode |
ip nhrp authentication secret |
ip nhrp map multicast dynamic |
ip nhrp network-id 123456 |
ip nhrp holdtime 600 |
ip tcp adjust-mss 1360 |
ip ospf network point-to-multipoint |
ip ospf hello-interval 3 |
ip ospf priority 254 |
qos pre-classify |
tunnel source FastEthernet0/0 |
tunnel mode gre multipoint |
tunnel path-mtu-discovery |
tunnel vrf INTERNET |
! |
! |
The import thing to note is that these mGRE tunnels are sourced from a VRF interface.
The spoke sites do not run any form of MPLS/VRFs and are configured:
! |
interface Tunnel248 |
description *** DMVPN over mGRE - Cloud 1 *** |
ip address 172.16.248.3 255.255.255.0 |
no ip redirects |
no ip proxy-arp |
ip mtu 1400 |
ip pim query-interval 10 |
ip pim sparse-dense-mode |
ip nhrp authentication secret |
ip nhrp map multicast 172.16.248.254 |
ip nhrp map 172.16.248.254 192.0.2.1 |
ip nhrp network-id 123456 |
ip nhrp nhs 172.16.248.254 |
ip nhrp holdtime 600 |
ip tcp adjust-mss 1360 |
ip ospf network point-to-point |
ip ospf hello-interval 3 |
ip ospf priority 0 |
qos pre-classify |
tunnel source Dialer1 |
tunnel destination 192.0.2.1 |
tunnel path-mtu-discovery |
! |
The spoke sites can ping the hub tunnel address of 172.16.248.254 and a show of the nhrp shows a static entry for the hub. The problem is the hub site can not ping any of the hosts and there are no dynamic nhrp entries. I have tried to debug nhrp and get the following encapsulation errors: Sep 9 2010 10:54:51.957 BST: NHRP: Encapsulation failed for destination 172.16.248.3 out Tunnel248 |
I had problems with IKE when setting up the p2p GRE not being sourced from the VRF interface and I had to change my crypto config to allow for this. I suspect I am having a similar problem here and the nhrp packets are being encapsulated from the global not the VRF.
I have read a lot of documentation of this working with the tunnel interface in a VRF being sourced from a global IP interface. I can not find any documentation of this working from a VRF interface.
Does anyone know if there is a way to tell nhrp with VRF to source the packets from?
09-13-2010 02:55 AM
I managed to fix this, contrary to the documentation stating:
Cisco IOS Software Releases 12.3(13)T, 12.3(11)T3, or later allow multiple mGRE interfaces on a single router to be configured without tunnel keys. Each mGRE interface
must reference a unique IP address as its tunnel source.
I added the tunnel key command and the tunnels came up.
09-16-2010 11:27 AM
If Tunnel248 is the only tunnel on the router then you shouldn't need to configure a tunnel key,
But if there are any other tunnels (point-point or multipoint) that are using the same tunnel source
then you are going to have to use a tunnel key.
I have set this up (mGRE with tunnel key and tunnel in VRF 'tunnel vrf ...') in my lab a number of
times so that I know it will work. There was a couple of IOS codes from about 2-3 years ago
where there was a bug in NHRP with VRFs but that was all fixed.
Note, there is nothing wrong with using a tunnel key.
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide