cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3042
Views
20
Helpful
22
Replies

One way traffic on DMVPN

Kaushik Ray
Level 1
Level 1

        Hello

Can you please advice me on the following: there is a DMVPN setup and I can ping the IP addresses end to end from both sides; but when doing the

show crypto ipsec  sa command one end is showing #pkts encaps and decaps to both have values but the other end only has encaps but no decaps.
any advice as to what could be causing this?
Many thanks in advance.
22 Replies 22

Kaushik Ray
Level 1
Level 1

one issue i am seeing which i would be grateful if you could kindly clarify

is on the hub router i am seeing this

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 64.30.159.34 port 61129

  IKE SA: local 212.39.180.62/4500 remote 64.30.159.34/61129 Active

  IPSEC FLOW: permit 47 host 212.39.180.62 host 64.30.159.34

        Active SAs: 2, origin: crypto map

on the remote end

sh crypto session

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 212.39.180.62 port 4500

  IKE SA: local 10.146.17.113/4500 remote 212.39.180.62/4500 Active

should not the hub have 4500 as the remote port as well? could it cause an issue? or is it irrelevant?

thanks

Thats normal since your ISP is doing the pat for your spoke router ip . Since patting is in use you have to change ipsec mode from tranport to tunnel on hub and spoke.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

Do clear ip nhrp on HUB and Spoke and give a try.

Note: On your setup, tunnel will only come up if you are initiating the traffic  from spoke, So do a shut and no shut of tunnel interface on spoke router.

If I understood your problem correctly this will resolve the issue.

With Regards,

Safwan

Don't forget to rate helpful posts

thanks for your reply. but this is a setup that was working with an earlier version of the ISP device. this is a new device that they have started rolling out. the mode transport used to work with the previous setup. is it something they could have changed that would have affected this. they used to PAT on their side as well?

Might be your ISP changed from static nat to pat or might be added one more router behind same public ip and port 4500 occupied by that new router.

For the crypto consideration, please check below link.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp37763

With Regards,

Safwan

Thanks

I will check that up:

below is the crytpo config; you still feel the 61129 is correct. the ISP device has a static Public IP assigned

to it; should it not come up as 4500 ?

Remote

sh run | include crypto ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Hub

sh run | include crypto ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

is already there. only this it still uses mode transport as part of the old setup which worked.

If ISP is doing static nat for your spoke router ip then it should come up with 4500 , If ISP is doing the patting for your spoke router ip then tunnel will come up with different ports , this is normal scenario.

I would suggest you to add below configuration and give a try first.

on the Spoke.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

On the HUB

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

With Regards,

Safwan

thanks again

actually i cannot change the mode to tunnel as there is another live ipsec dmvpn tunnel which is live using another ISP provider uses the same tunnel and it is established and has traffic flowing through it.

Remote Router  < ---------- > Hub Router < ---------- > Backhaul Router

Hub to Backhaul tunnel is stablised uses

sh run | section crypto ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

#pkts encaps: 4665202, #pkts encrypt: 4665202, #pkts digest: 4665202

    #pkts decaps: 1787431, #pkts decrypt: 1787431, #pkts verify: 1787431

it uses 4500 on all possible ports for it as well.

Then ask your ISP to do the static nat for remote router ip and  make sure with them that udp/500,udp/4500 and esp ports are open between hub and remote router.

With Regards,

Safwan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: