08-27-2012 01:04 PM - edited 02-21-2020 06:17 PM
Hello,
We are starting to replace all of our ISA servers with cisco routers with DMVPN. So far we are happy with everything but I ran into an issue. I just set up one of our branches, and the DMVPN works fine, but this location also needs a VPN tunnel to another branch that we haven't replaced with Cisco hardware yet. The problem I have is as soon as I associate an ipsec site to site VPN on this router, the DMVPN drops.
I create the Ipsec VPN:
crypto map VPN_Crypto 1 ipsec-isakmp
set transform-set ESP-3DES-SHA
set peer aa.aa.aa.aa
match address 103 (where address is allow local IP subnet to remote IP subnet)
and all works fine. As soon as I do the following:
interface GigabitEthernet0/1
crypto map VPN_Crypto
The DMVPN drops. If I then connect in and run:
interface GigabitEthernet0/1
no crypto map
The DMVPN comes right back up.
What could I be doing wrong? Below is the config for the Tunnel0 DMVPN tunnel:
interface Tunnel0
bandwidth 1000
ip address 192.168.10.31 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast xx.xx.xx.xx
ip nhrp map 192.168.10.10 xx.xx.xx.xx
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.10.10
zone-member security dmvpn-zone
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
If you need anything else from the config to assist let me know. Our Main site router I have had no problem with it being the DMVPN hub and also having a handful of Ipsec VPNs set up on it as well. I really appreciate any help, I really need to get both of these tunnels running simultaneously ASAP.
Solved! Go to Solution.
08-29-2012 07:29 AM
yes, but I didn't see anything that was looking strange (well, configs generated by CCP always look strange ... ).
Perhaps you are running into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I don't have to. You could try 15.0(1)M8 and see if that works.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 01:43 PM
I should also mention, if I monitor the tunnels in CCP, when I enable the crypto map, the DMVPN tunnel dissappears from "DMVPN Tunnels" in CCP Monitoring, but it remains in "Ipsec Tunnels" as up (but I can't route over it). And while this is going on, the site to site ipsec tunnel works fine, I can route traffic over it with no problem.
08-27-2012 03:05 PM
Please share your complete config (as an attachment).
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 03:56 PM
Ok, it is attached. I replaced anything private like preshared keys, certificate, etc. And I changed Public IP addresses as follows:
DMVPN Hub IP to 100.100.100.100
Router WAN IP to 200.200.200.200
Router WAN Gateway to 200.200.200.201
Public IP of Other Branch I need to create an Ipsec VPN to 250.250.250.250
If changing those is a problem let me know.
As the configuration is included here, if you run:
interface GigabitEthernet0/1
crypto map VPN_Crypto
the DMVPN will drop and the ipsec VPN comes up (but not both)... then doing a "no crypto" will bring the DMVPN back up (but bring down the ipsec vpn)
08-27-2012 04:11 PM
Which is your Hub-network (IP) that you learn by EIGRP through DMVPN?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 04:12 PM
100.100.100.100 is the public wan IP address of the Hub of the DMVPN.
Also, the internal subnet of the hub location is 10.10.0.0 /16
08-27-2012 04:40 PM
Also, in testing, i've found it doesn't even matter if the ipsec vpn connects, I tried setting up the ipsec VPN with one of my unused IP addresses at the branch site, so I would know the tunnel never formed, and still as soon as I added the crypto map to gigabitethernet0/1 the DMVPN dropped.
08-29-2012 05:13 AM
Did you get a chance to look at my config? Did that give you any ideas on why its not working?
08-29-2012 07:29 AM
yes, but I didn't see anything that was looking strange (well, configs generated by CCP always look strange ... ).
Perhaps you are running into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I don't have to. You could try 15.0(1)M8 and see if that works.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-29-2012 07:32 AM
Thank you for the recommendation. I will try loading up the suggested IOS version (is there any issue with configs and rolling back to an older version I should be aware of?).
If that doesn't work, since I just purchased, I will add smartnet and call Cisco support to assist.
08-29-2012 09:15 AM
That was it! I rolled back to the 15.0(1)M8 version you suggested and the issue is solved.
Thank you for your help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: