Unable to ping internal subnet ip addresses from spoke. Crypto ISAKMP & EIGRP tunnel formed

Faisal syed · ‎01-17-2013

We are in the process of implementing DMVPN hub and spoke solution.

We have configured a hub and are now trying to connect a remote spoke between client’s remote locations. The client has a Verizon router in front of the spoke. Somehow I am not able to ping the hub's internal network. I am able to ping hub's internal interface. EIGRP neighbor adjacency between hub and spoke is there. I checked Crypto ISAKMP is there. I can see all the internal routes of the hub on the spoke. On the other hand, when I connected the spoke from my home network to the hub, just for testing purposes, everything is working fine. When I took the spoke to the remote location and plugged it in front of the Verison DSL modem and router, I don't know why I am not able to ping internal network. I suspect that Verison has blocked VPN ports. Any ideas?

Thanks,

Fsl

shamax_1983 · ‎01-17-2013

Hi Faizal,

Are you NAT'ing on the ADSL routers for VPN ports for the DMVPN Spokes? Or do you have a routed public IP configured on the DMVPN spoke?

Shamal

Sent from Cisco Technical Support iPhone App

Faisal syed · ‎01-18-2013

No I am getting spoke external interface ip from verison modem+router . Which is 192.168.1.X. I put this ip address to the DMZ zone that won't fix the problem either.

paul driver · ‎01-18-2013

Hello Fasal,

can you post your config - especially your crypto stuff.

Are you using crypto maps or VTI ( tunnel protection)
Can you test if you have connection when you take off the ipsec config so basically then your not encrypting the traffic

( require both sides )

if crypto maps is the network to be encrypted specified?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul