Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2015
Views
15
Helpful
5
Replies

Unable to ping other side of DMVPN Tunnel

CiscoPurpleBelt
Level 6
Level 6

‎12-18-2017 08:13 AM - edited ‎03-08-2019 01:09 PM

I am doing a lab and the Tunnel is UP/UP, however I can't ping the other end of the tunnel. Here are my configs.

 

Hub Rt:

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

------------------------------------

Spoke Rt.

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

 

 

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎12-18-2017 11:49 AM

Hello,

 

the partial configs look ok. Do you have static routes in place, and EIGRP advertising the tunnels and any possible local networks ?

 

Hub Rt:

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!

interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.0

!

interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0

!

router eigrp 90
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary

!

ip route 0.0.0.0 0.0.0.0 209.168.202.226

------------------------------------

Spoke Rt.

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!

interface FastEthernet0/0
ip address 209.168.202.226 255.255.255.0

!

interface FastEthernet0/1
ip address 2.2.2.1 255.255.255.0

!

router eigrp 90
network 2.2.2.0 0.0.0.255
network 192.168.1.0
no auto-summary

!

ip route 0.0.0.0 0.0.0.0 209.168.202.225

CiscoPurpleBelt
Level 6
Level 6
In response to Georg Pauwen

‎12-18-2017 12:31 PM

I re-did everything over pretty much exactly the same but I believe I was pointing to the wrong physically interface at first so everything works now. Yes I am using EIGRP.
On another related note, I am seeing very different configurations for configuring other spoke routers to be added to a DMVPN network. If I want to add another spoke router to this hub DMVPN router, do I create an additional tunnel the same as I did on this hub and spoke routers? Any information would be helpful.
0 Helpful

Georg Pauwen
VIP
VIP
In response to CiscoPurpleBelt

‎12-18-2017 01:14 PM

Hello,

 

yes, basically any new spoke would have a similar config except for (obviously) the IP addresses. Keep in mind there are three different DMVPN phases, that might explain why you see different configurations...

 

CSCO11822978
Level 1
Level 1
In response to Georg Pauwen

‎12-18-2017 09:58 PM

Hello!

Without IPSEC profile on Tunnel interface, ping succesful? 

 

CiscoPurpleBelt
Level 6
Level 6
In response to CSCO11822978

‎12-28-2017 06:57 AM

no I still can't. What else do you think I should check?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card