DMVPN: requires clear crypto sa

martinbuffleo · ‎09-03-2013

My DMVPN worked fine yesterday. However the DMVPN didn't come in. I left it for 20 with no joy.

Once I did a clear crypto sa on the spoke the tunnel came up.

This seems like I'm missing something in my config.

Can someone advise?

Marcin Latosiewicz · ‎09-03-2013

Oh ... well DPDs? Just wild speculation without config ;-)

martinbuffleo · ‎09-03-2013

Sorry my Spokes tunnel config is:

interface Tunnel0

description HO-VPN

bandwidth 100

ip address 10.x.250.6 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication password

ip nhrp map multicast dynamic

ip nhrp map multicast publicIP

ip nhrp map 10.x.250.1 publicIP

ip nhrp network-id aNumber

ip nhrp holdtime 360

ip nhrp nhs 10.x.250.1

zone-member security Zone-TunnelToHO

ip ospf network broadcast

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key aNumber

tunnel protection ipsec profile protect-gre

Marcin Latosiewicz · ‎09-03-2013

I think it's going to be something in crypto config, either invalid SPI recovery (alhough it's not strictly speaking required) or DPD missing (considering what you described and how you recovered).