Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2000
Views
5
Helpful
4
Replies

dmvpn tunnel issue

Go to solution
joe.fodor
Level 1
Level 1

‎07-14-2014 06:49 AM - edited ‎03-07-2019 08:03 PM

I am running a hub and spoke type dmvpn network. I have two tunnels both are up. Only one is passing dmvpn packets. Tun1 is in a NHRP state. I know the configuration is correct. Here is a show crypto ipsec sa on hub and spoke router. Any help is appreciated.

 

Hub:   

PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 115, #pkts decrypt: 115, #pkts verify: 115
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 

Spoke:

  PERMIT, flags={origin_is_acl,}
    #pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7
In response to joe.fodor

‎07-16-2014 02:19 PM

CSCul13232 looks to be affecting IOS 15.2(4)M5 and above, though it only appears in the release notes for 15.4M and T.

What model of routers are you using for hub and spokes and what IOS versions are in play?

If there's no reason to be on 15.2+, downgrading to 15.1(4)M8 on the hub may be a worthwhile option.

View solution in original post

4 Replies 4

Go to solution
ghostinthenet
Level 7
Level 7

‎07-15-2014 09:04 AM

It sounds to me like the spoke isn't correctly registering NHRP with the hub. The spoke is obviously getting traffic to the hub, which is to be expected in a DMVPN Φ1 environment, but without NHRP registration on the hub, nothing is going to get back... hence the lack of encapsulation.

Do you get correct entries when you do a "show dmvpn" and a "show ip nhrp" on the hub?

0 Helpful

Go to solution
joe.fodor
Level 1
Level 1
In response to ghostinthenet

‎07-16-2014 12:41 PM

My issue was a bug that was only reported 4 times. Here are the bug notes

 

Symptom:
On the hub "show dmvpn output" shows the DMVPN tunnel to be up but on the spoke it is still in the NHRP state. There are encrypts on the spoke, decrypts on the hub but no encrypts on the hub.

Conditions:
This issue can happen with any IPSEC/GRE deployment(which includes DMVPN).

Workaround:
Reloading the hub will clear all the rulesets, allowing new ones to form. If left alone the problem will correct itself on it's own after a few days.

 

 

Except my problem has been ongoing for a few weeks. Resetting the router was the only way.

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to joe.fodor

‎07-16-2014 02:19 PM

CSCul13232 looks to be affecting IOS 15.2(4)M5 and above, though it only appears in the release notes for 15.4M and T.

What model of routers are you using for hub and spokes and what IOS versions are in play?

If there's no reason to be on 15.2+, downgrading to 15.1(4)M8 on the hub may be a worthwhile option.

Go to solution
ronak gandhi
Level 1
Level 1
In response to ghostinthenet

‎03-30-2015 11:23 AM

I have been fighting with this issue since last couple of months on all of our spoke routers with 3945. The issue is bringing down the tunnel and puts it into Tunnel Down retry limit exceeded state

 

UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is down: retry limit exceeded
246664: Mar 30 13:40:02.494 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is up: new adjacency
246666: Mar 30 13:41:22.006 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is down: retry limit exceeded
246667: Mar 30 13:41:23.702 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is up: new adjacency
246668: Mar 30 13:42:43.214 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is down: retry limit exceeded
246669: Mar 30 13:42:43.274 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is up: new adjacency
246670: Mar 30 13:44:02.786 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is down: retry limit exceeded
246671: Mar 30 13:44:06.918 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is up: new adjacency
246674: Mar 30 13:45:26.466 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is down: retry limit exceeded
246675: Mar 30 13:45:28.790 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is up: new adjacency
246679: Mar 30 13:46:48.302 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is down: retry limit exceeded
246680: Mar 30 13:46:48.786 UTC: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.200.5.1 (Tunnel0) is up: new adjacency

 

 

When I issued the command sh dmvpn 

 

It shows me the tunnel state as "NHRP". During this issue, I can not ping the Hub tunnel ip from source tunnel interface. When i do debug IP ICMP, I dont even see the packets leaving the router for ping.

 

I am running the 3945 routers with 15.2(4)M5 release.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card