Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
3
Helpful
5
Replies

Cause for new 8300 failing to create same DMVPN tunnels as old router?

jmaxwellUSAF
VIP
VIP

‎11-16-2023 01:22 PM

Hello.

During upgrade from 3925 router, to new 8300 router,
DMVPN tunnel2 and DMVPN tunnel 3 did not achieve an up state. They were stuck in IKE, and after investigation, it seems that the new 8300 is sending isakmp requests, but the 2950 DMVPN hub is receiving zero of these requests.
-It is true that DMVPNs were without symptoms before hardware replacement.
-It is true that new config was (basically) copy/pasted from old config.
-It is true that www connectivity is successful.
-It is true that the 2950 DMVPN hub can ping the public interface of the 8300 new spoke.
it is true that isakmp proposal tset details are identical in hub and spoke config.
-It is true that, unlike the old 3925, this new 8300 has security features such as zone based firewalls. Without effect, I inserted, "
-It is possible that this device circuit traverses and ASA.

From cisco literature...
"Security Configuration Guide: Zone-Based Policy Firewall - Zone-Based Policy Firewalls [Cisco ASR 1000 Series Aggregation Services Routers] - Cisco

"How do I turn off zone-based firewall?
To disable the zone-based firewall configurations that have been applied on the interfaces, use the platform inspect disable-all command. Similarly, to enable zone-based firewall on the interfaces, use the no platform inspect disable-all command. By default, zone-based firewall is always enabled."

QUESTION:
What is probable cause, or next troubleshoot step here?

Thank you.

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-16-2023 02:23 PM

@jmaxwellUSAF remove the zone pairs between the relevant interfaces.

What is the configuration of the ZBFW, are you permitting the required traffic? ESP, UDP/500, UDP/4500?

Does the new router support the crypto that you copied and pasted from the old router? Weaker crypto has been deprecated and removed on newer IOS.

jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-17-2023 07:08 AM - edited ‎11-17-2023 07:08 AM

"remove the zone pairs between the relevant interfaces"

exactly how to do this?

(I already input "platform inspect disable-all")

0 Helpful

Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-17-2023 07:17 AM

@jmaxwellUSAF type "show run | i zone-pair" to determine the zone-pairs which have ZBFW enabled on then remove the configuration. e.g. -  "no zone-pair security ext-self source external destination self"

jmaxwellUSAF
VIP
VIP

‎11-17-2023 07:06 AM

Thank you Rob. I will try above.

Right now we have physically removed this new device from the circuit. Old device acting normally.

In meantime, what you think of this error on problematic 8300 ?....

*Nov 16 20:36:30.661: %DMVPN-5-NHRP_NHP_DOWN: Tunnel20: Next Hop Peer : (Tunnel: 192.168.102.1 NBMA: 216.255.122.194) for (Tunnel: 192.168.2.19 NBMA: UNKNOWN) is DOWN, Reason: administratively prohibited(NHRP: no error)

0 Helpful

Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-17-2023 07:15 AM

@jmaxwellUSAF I'd need to see the configuration to understand the error better, but at a guess is there an ACL filtering the communication? hence the error administratively prohibited.

Customers Also Viewed These Support Documents