cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3037
Views
20
Helpful
22
Replies

One way traffic on DMVPN

Kaushik Ray
Level 1
Level 1

        Hello

Can you please advice me on the following: there is a DMVPN setup and I can ping the IP addresses end to end from both sides; but when doing the

show crypto ipsec  sa command one end is showing #pkts encaps and decaps to both have values but the other end only has encaps but no decaps.
any advice as to what could be causing this?
Many thanks in advance.
22 Replies 22

Kaushik Ray
Level 1
Level 1

Hello any advice on this please?

Thanks

Could you post some vpn config? Looks like something is wrong there.

Thanks Pieter

Here are some configs for it:

Please let me know if you need more information:

Remote Side

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ABCD address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

interface Tunnel0

bandwidth 128

ip address 10.146.17.169 255.255.255.224

ip access-group backup.acl out

no ip redirects

ip mtu 1400

ip nhrp authentication ABCDEF

ip nhrp map multicast dynamic

ip nhrp map multicast XXX.XXX.XXX.XXX (Public IP)

ip nhrp map 10.146.17.161 XXX.XXX.XXX.XXX (Public IP)

ip nhrp network-id 146146

ip nhrp holdtime 300

ip nhrp nhs 10.146.17.161

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1360

tunnel source FastEthernet0/1.30

tunnel mode gre multipoint

tunnel key 641641

tunnel protection ipsec profile SDM_Profile1

!

!

interface FastEthernet0/1.30

description XXXX

bandwidth 128

encapsulation dot1Q 30

ip address 10.146.17.93 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

Hub Side

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ABCD address 0.0.0.0 0.0.0.0

crypto isakmp nat keepalive 20

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

interface Tunnel0

bandwidth 4096

ip address 10.146.17.161 255.255.255.224

ip access-group backup.acl out

no ip redirects

ip accounting output-packets

ip mtu 1400

ip hello-interval eigrp 146 15

ip hold-time eigrp 146 45

no ip next-hop-self eigrp 146

ip nhrp authentication ABCDE

ip nhrp map multicast dynamic

ip nhrp network-id 146146

ip tcp adjust-mss 1360

no ip split-horizon eigrp 146

load-interval 30

delay 60000

tunnel source XXX.XXX.XXX.XXX (Public IP)

tunnel mode gre multipoint

tunnel key 641641

tunnel protection ipsec profile SDM_Profile1

crypto ipsec df-bit clear

!

interface GigabitEthernet0/1.184

description Internet

encapsulation dot1Q 184

ip address XXX.XXX.XXX.XXX (Public IP)  255.255.255.252

ip access-group Internet in

no ip redirects

no ip unreachables

no ip proxy-arp

end

Dear Kaushik,

Please check the following:

Can you ping from tunnel interface to tunnel interface?

Is EIGRP AS 146 up (show ip eigrp neighbors)?

Do you see the remote networks install in the active routing table (show ip route eigrp)?

Any recent changes?

HTH.

Portu.

Please rate any helpful posts

PieterV82
Level 1
Level 1

I also noticed this difference:

spoke side: ip nhrp authentication ABCDEF

hub side:    ip nhrp authentication ABCDE

Perhaps your eigrp config is wrong, maybe you could post it also?

Sorry the authentication was a typo.

it sets up sometimes

HUBRouter#show dmvpn int tun 0

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1    Remote End Public IP   10.146.17.169    UP 00:04:09    DN

But looses the peering again.

RemoteRouter#ping HUBEndPublicIP repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to HUBEndPublicIP, timeout is 2 seconds:

!!!!!!.!!!

Success rate is 90 percent (9/10), round-trip min/avg/max = 1168/1290/1616 ms

slb-pio-r-tech#

HubRouter#ping REMOTEEndPublicIP repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to REMOTEEndPublicIP timeout is 10 seconds:

!!!!!!!!!!

Success rate is 100 percent (10/10), round-trip min/avg/max = 1260/1798/3244 ms

But there is ping losses sometimes which are very highl could that cause issue to destablize the VPN?

thanks again

Yes, please check with your ISP and fix the issue first.

HTH.

Portu

I have been able to setup a stable connection but still the vpn is not passing traffic;

one thing i see is when i do a show crypto session the remote router shows local and remote ports as 4500 but the hub router shows local port as 4500 and remote as 6xxxx which keeps on changing. could it be causing issues to establish the correct path, and should the port should be same on both side?

Thanks in advance.

Is there anyone who could help me with the above please?

thanks

Can you post the ACL backup.acl which is applied on HUB site tunnel 0, also post your EIGRP config.

With Regards,

Safwan

This one as well, ACL Internet applied on HUB site interface GigabitEthernet0/1.184.

With Regards,

Safwan

Thanks Safwan for your reply:

Here are the details you want:

ip access-list extended backup.acl

permit ip host 10.146.0.83 any

permit ip host 10.146.0.42 any

permit ip host 10.146.0.24 any

permit ip host 10.146.0.124 any

permit ip host 10.146.0.44 any

permit ip host 10.146.0.35 any

permit ip host 10.146.1.140 any

deny   ip any 10.146.51.0 0.0.0.255

deny   ip any 10.146.50.0 0.0.0.255

deny   ip any 10.146.52.0 0.0.0.255

deny   ip any 10.146.54.0 0.0.0.255

deny   ip any 10.146.55.0 0.0.0.255

deny   ip any 10.146.56.0 0.0.0.255

deny   ip any 10.146.57.0 0.0.0.255

deny   ip any 10.146.58.0 0.0.0.255

deny   ip any 10.146.63.0 0.0.0.255

deny   ip any 10.146.150.0 0.0.0.255

deny   ip any 10.146.151.0 0.0.0.255

deny   ip any 10.146.152.0 0.0.0.255

deny   ip any 10.146.154.0 0.0.0.255

deny   ip any 10.146.155.0 0.0.0.255

deny   ip any 10.146.156.0 0.0.0.255

deny   ip any 10.146.157.0 0.0.0.255

deny   ip any 10.146.158.0 0.0.0.255

deny   ip any 10.146.163.0 0.0.0.255

deny   ip host 10.146.1.111 any

deny   ip any 10.146.17.240 0.0.0.15

permit ip any any

-----------------------------------------------------

!

router eigrp 146

distribute-list filter.acl out

network 10.146.0.0 0.0.255.255

network 129.87.194.177 0.0.0.0

network 192.168.1.0

network 192.168.253.0

redistribute static route-map mgmt.map

passive-interface GigabitEthernet0/1.80

passive-interface GigabitEthernet0/1.184

eigrp router-id 10.146.17.2

!

----------------------------------------------------------------------------

ip access-list extended Internet

permit icmp any any

permit tcp 137.237.226.0 0.0.0.255 host 212.39.180.62 eq 22

permit esp host 193.195.220.120 host 212.39.180.62

permit udp host 193.195.220.120 host 212.39.180.62 eq isakmp

permit udp host 193.195.220.120 host 212.39.180.62 eq non500-isakmp

permit esp host 12.47.179.107 host 212.39.180.62

permit udp host 12.47.179.107 host 212.39.180.62 eq isakmp

permit udp host 12.47.179.107 host 212.39.180.62 eq non500-isakmp

permit tcp 62.92.160.0 0.0.0.255 host 212.39.180.62 eq 22

permit esp 64.30.159.0 0.0.0.255 host 212.39.180.62

permit gre 64.30.159.0 0.0.0.255 host 212.39.180.62

permit udp 64.30.159.0 0.0.0.255 host 212.39.180.62 eq isakmp

permit udp 64.30.159.0 0.0.0.255 host 212.39.180.62 eq non500-isakmp

permit ip 64.30.159.0 0.0.0.255 host 212.39.180.62

permit udp host 195.220.94.163 host 212.39.180.62 eq ntp

deny   ip any any log

please let me know your thoughts.

thanks

  • I can see that, your spoke router is having private ip address and behind a nat device. If your spoke router is behind a nat device and prior to Cisco IOS Release 12.3(6) and 12.3(7)T, these spoke routers had to use IPsec tunnel mode to participate in a DMVPN network.
  • To make sure DMVPN is up, please check show ip eigrp neighbors, you should see tunnel ip on remote and hub side as neighbours.
  • You can have simple eigrp config, create another eigrp 147 and advertise the tunnel ip subnet and your local subnet you want to route over the tunnel. Do not advertise your wan subnet on the new eigrp as this will make eigrp flapping. I suspect this issue with your existing config but I cannot confirm as i dont have distribute-list acl.

With Regards,

Safwan

Thanks Safwan

is the remote router IOS version: advipservicesk9-mz.124-22.T5

the DMVPN is a backup to the main link so i think i would not be able to see it?

the distribute list acl is as follows:

ip access-list standard filter.acl

deny   10.146.17.128 0.0.0.31

deny   10.146.17.0 0.0.0.63

permit any

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: