Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1391
Views
10
Helpful
6
Replies

DMVPN and NHRP

Go to solution
yavor.fournadjiev
Level 1
Level 1

‎04-13-2016 01:48 PM - edited ‎02-21-2020 08:46 PM

Hi friends,

I would like to ask about your opinions.

Looking at a NHRP Traffic Indication packet in the NHRP Authentication Extension section -> Extension Data sub section I can see there is a Source Address field and as a value there is always 99.105.115.99.

Please, see the attached screenshot.

Could anybody give any idea what this source address is and why there is always one and the same value and what this value means.

Thanks!

Best regards,

Yavor

Labels:
Preview file
210 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to yavor.fournadjiev

‎04-13-2016 03:37 PM

Ahh :) Well good job resolving your own problem! Also, thank you for taking the time to come back and post the solution here. (+5 from me). 

Now, since your issue is resolved, you should mark the thread as "answered" ;)

View solution in original post

0 Helpful
6 Replies 6

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎04-13-2016 02:12 PM

Do you have a diagram that shows your DMVPN setup? Could that IP be the headend's overlay IP? :)

Thank you for rating helpful posts!

0 Helpful

Go to solution
yavor.fournadjiev
Level 1
Level 1
In response to nspasov

‎04-13-2016 02:29 PM

Hi Neno,

Thank you for your reply!

I've configured the DMVPN in my lab environmrnt.

Please, find the diagram as an attached file.

The DMVPN works between R1, R2, R3 and R4. R1 is the NHS.

This address is not owned by any of the devices at all. That was why I was surprised by it.

With my best regards,

Yavor

Preview file
98 KB
0 Helpful

Go to solution
yavor.fournadjiev
Level 1
Level 1
In response to yavor.fournadjiev

‎04-13-2016 03:17 PM

I've just found the answer :-)

It was a kind of misinterpretation done by Wireshark.

When looked at the hex pane I found that the hex value of that IP was "63 69 73 63".

After decoding the hex to text it became clear that it was a part of the string "63 69 73 63 6f" misinterpreted by Wireshark as an IP address. That was why it was one and the same in every packet.

63 69 73 63 6f -> cisco :-)

Please, see the attached files.

Best regards,

Yavor

Preview file
188 KB
Preview file
21 KB

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to yavor.fournadjiev

‎04-13-2016 03:37 PM

Ahh :) Well good job resolving your own problem! Also, thank you for taking the time to come back and post the solution here. (+5 from me). 

Now, since your issue is resolved, you should mark the thread as "answered" ;)

0 Helpful

Go to solution
yavor.fournadjiev
Level 1
Level 1
In response to nspasov

‎04-13-2016 03:49 PM

Neno,

Thank you for your prompt answers and readiness to help as well as for the 5s!

During the examination of the packets it was really weird to see such an unknown IP address in my flows :-)

That's why I asked the friends here.

Thanks once again!

Best regards,

Yavor

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to yavor.fournadjiev

‎04-13-2016 04:21 PM

No problem and it is a good thing that you are paying attention to such scenarios. You never know where an attack might be coming from :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents