cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4285
Views
11
Helpful
5
Replies

FlexVPN Spoke to Spoke , NHRP Redirect not working

poldi1978
Level 1
Level 1

I have a working FlexVPN Hub and Spoke Setup and want to add Spoke-to-Spoke Feature.

Sadly the hub doesn't seem to redirect traffic, i.e nhrp is not working correctly. I suspect  "NHRP: Rejecting addr type 0" from the debug   tells me why this is not working. but i can't find any further information about this debgu message.

When i intiate traffic from one spoke to a subnet behind another spoke  ( in the example to 192.168.100/0/24) there is not even an attempt to initiate an  crypto session between the spokes. All spoke are configured the same.

 

NHRP output during tunnel setup from  (hub site)

1544366: Oct 14 12:58:55.790 CEST: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
1544367: Oct 14 12:58:56.880 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled
1544370: Oct 14 12:58:56.882 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'GRE over point to point IPV4 tunnel mode' to 'Encapsulating Security Protocol (ESP) over point 2 point IPv4 used by the ipsec client'
1544371: Oct 14 12:58:56.882 CEST: NHRP: Virtual-Access3: NHRP not enabled
1544372: Oct 14 12:58:56.889 CEST: NHRP: Rejecting addr type 0
1544373: Oct 14 12:58:56.889 CEST: NHRP: Adding all static maps to cache
1544374: Oct 14 12:58:56.889 CEST: NHRP: NHRP Redirect Feature PI-code Initialized
1544375: Oct 14 12:58:56.889 CEST: NHRP: Redirect Feature Initialized - Attempting Platform Init
1544376: Oct 14 12:58:56.890 CEST: NHRP: Rejecting addr type 0
1544377: Oct 14 12:58:56.890 CEST: NHRP: Rejecting addr type 0
1544378: Oct 14 12:58:56.896 CEST: %IKEV2-5-SA_UP: SA UP
1544379: Oct 14 12:58:56.896 CEST: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.  Peer <SPOKE-PUBLIC-IP>:500 f_vrf:  <HUB-EXTERNAL-VRF> i_vrf:  <HUB-EXTERNAL-VRF>   Id: <SPOKE-FQDN>
1544380: Oct 14 12:58:56.904 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
1544381: Oct 14 12:58:56.905 CEST: NHRP: if_up: Virtual-Access3 proto 'NHRP_IPv4'
1544382: Oct 14 12:58:56.906 CEST: NHRP: Rejecting addr type 0
1544383: Oct 14 12:58:56.906 CEST: NHRP: Adding all static maps to cache
1544384: Oct 14 12:58:56.906 CEST: NHRP: Unable to send Registration - no NHSes configured
1544385: Oct 14 12:58:57.905 CEST: NHRP: Unable to send Registration - no NHSes configured

 

NHRP debug output tunnel setup client site:

.Oct 14 12:58:55.827: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXCLIENT) Client_public_addr = <SPOKE-PUBLIC-IP> Server_public_addr = <HUB-PUBLIC-IP>
.Oct 14 12:58:57.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
.Oct 14 12:58:57.071: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
.Oct 14 12:58:57.071: NHRP: Rejecting addr type 0
.Oct 14 12:58:57.071: NHRP: Adding all static maps to cache
.Oct 14 12:58:57.071: NHRP: Unable to send Registration - no NHSes configured
.Oct 14 12:58:57.079: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXCLIENT) Client_public_addr = <SPOKE-PUBLIC-IP> Server_public_addr = <HUB-PUBLIC-IP> Assigned_Tunnel_v4_addr = 10.255.176.15
.Oct 14 12:58:58.071: NHRP: Unable to send Registration - no NHSes configured

 

Relevant Hub config

crypto ikev2 profile EXTERN-IKEV2-PROFILE
 match fvrf <HUB-EXTERNAL-VRF>
 match identity remote fqdn domain <CUSTOMER-DOMAIN>
 identity local fqdn <HUB-FQDN>
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA
 dpd 10 2 periodic
 aaa authorization group cert list RADIUS-AUTHORISATION name-mangler GET-FULL-HOST
 virtual-template 10

crypto ipsec profile FLEXVPN-EXT-IPSEC-PROF
 set ikev2-profile EXTERN-IKEV2-PROFILE

 

 
sho derived-config interface virtual-access 3
 
interface Virtual-Access3
 description Tunnel Template fuer VRF <HUB-EXTERNAL-VRF>
 vrf forwarding <HUB-INTERNAL-VRF>
 ip address 10.255.176.14 255.255.255.254
 ip nhrp network-id 5
 ip nhrp redirect
 tunnel source <HUB-PUBLIC-IP>
 tunnel mode ipsec ipv4
 tunnel destination <SPOKE-PUBLIC-IP>
 tunnel path-mtu-discovery
 tunnel vrf <HUB-EXTERNAL-VRF>
 tunnel protection ipsec profile FLEXVPN-EXT-IPSEC-PROF
 no tunnel protection ipsec initiate
end

 

relevant spoke config

interface Virtual-Template10 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 5
 ip nhrp shortcut virtual-template 10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FLEXCLIENT-IPSEC-PROFILE
 
 
crypto ikev2 profile FLEXCLIENT-PROFILE
 match identity remote fqdn <HUB-FQDN>
 match identity remote fqdn domain <CUSTOMER-DOMAIN>
 identity local fqdn <SPOKE-FQDN>
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA
 dpd 10 2 periodic
 aaa authorization group cert list Flex FlexClient-Author
 virtual-template 10
 
 

crypto ipsec profile FLEXCLIENT-IPSEC-PROFILE
 set ikev2-profile FLEXCLIENT-PROFILE

interface Tunnel0
 description [Tunnel to FlexHub]
 ip address negotiated
 ip nhrp network-id 5
 ip nhrp shortcut virtual-template 10
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile FLEXCLIENT-IPSEC-PROFILE
end

 

working Tunnel on hub site:

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         <HUB-PUBLIC-IP>/500   <SPOKE-PUBLIC-IP>/500      <HUB-EXTERNAL-VRF>   READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/555 sec
      CE id: 18901, Session-id: 2086
      Status Description: Negotiation done
      Local spi: D13309864C08DB0E       Remote spi: 2098208B89845A8E
      Local id: <HUB-FQDN>
      Remote id: <SPOKE-FQDN>
      Local req msg id:  55             Remote req msg id:  58        
      Local next msg id: 55             Remote next msg id: 58        
      Local req queued:  55             Remote req queued:  58        
      Local window:      5              Remote window:      5         
      DPD configured for 10 seconds, retry 2
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Assigned host addr: 10.255.176.15
      Initiator of SA : No
      Remote subnets:
      10.255.176.15 255.255.255.255
      10.255.18.44 255.255.255.255
      192.168.100.0 255.255.255.0

 

working tunnel on spoke side:

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         <SPOKE-PUBLIC-IP>/500      <HUB-PUBLIC-IP>/500   none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/529 sec
      CE id: 2029, Session-id: 20
      Status Description: Negotiation done
      Local spi: 2098208B89845A8E       Remote spi: D13309864C08DB0E
      Local id: <SPOKE-FQDN>
      Remote id: <HUB-FQDN>
      Local req msg id:  55             Remote req msg id:  52        
      Local next msg id: 55             Remote next msg id: 52        
      Local req queued:  55             Remote req queued:  52        
      Local window:      5              Remote window:      5         
      DPD configured for 10 seconds, retry 2
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 10.255.176.15
      Remote subnets:
      10.255.176.14 255.255.255.255
      0.0.0.0 0.0.0.0

 

 

 

As stated before - the flexVPn and crypto setup works fine - except for the  nhrp redirect feature.  Any help with this would be appreciated.

 

 

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

 tunnel mode ipsec ipv4 <--- NHRP in IP world, may not work ...  Try with GRE? 

 

1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled

 

 

interface Virtual-Template10 type tunnel
 ip unnumbered Tunnel0 <--- why tunnel 0 and not the LAN 

 

VRF configuration? 

View solution in original post

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

 tunnel mode ipsec ipv4 <--- NHRP in IP world, may not work ...  Try with GRE? 

 

1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled

 

 

interface Virtual-Template10 type tunnel
 ip unnumbered Tunnel0 <--- why tunnel 0 and not the LAN 

 

VRF configuration? 

Thanks

 

 no tunnel mode ipsec ipv4

 

was all the setup needed!

Perfect Answer. I was facing the same issue.

I suspect that Flex Spoke-to-Spoke tunnels does not work with ipv4 mode and only supports gre mode.

NHRP is L2 protocol, VTI is a L3 encapsulation. So yes, you do need GRE (default).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: