Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
3
Helpful
7
Replies

CISCO DMVPN GROUP

kwojtyra
Level 1
Level 1

‎01-30-2024 03:07 AM - last edited on ‎01-30-2024 03:34 AM by Community Manager

Hello,

We replace the Spoke router with a new one and the HQ remains older and our tunnel status is "MM_NO_STATE". 

Does someone knows is the crypto isakmp group should be the same on HQ and Spoke.

On new router i can set value of 24, on old router that is HQ the value is set to 2 and we can't change it (it is not our's).

The next problem is that i can't create ip nhrp group in tunnel interface on new router. Is it necessary if it is on HQ?

Thanks, if You anwser

Labels:
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎01-30-2024 03:14 AM

I thinking you meaning by isakmp group the DH group and sure it must be same 

If older not use same group then add second isakmp policy in Hub and use dh group acceptable by old spoke router 

For ip nhrp group' for what you use it for QoS or for multi tunnel load balance?

MHM

0 Helpful

kwojtyra
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 03:17 AM

I think it is used for multi tunnel load balance.

0 Helpful

MHM Cisco World
VIP
VIP
In response to kwojtyra

‎01-30-2024 03:21 AM

Ok' let divide issue 

Make second isakmp policy in hub with dh group (not 24 sure) and check ipsec 

And second division share tunnel config you try to apply to this old router. Let me check if the command is changed or not

Thanks 

MHM

0 Helpful

kwojtyra
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 03:29 AM

One note - we can change configuration only on new router.

Here is how tunnel configuration looks


interface Tunnel100

ip address 192.168.0.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxxx
ip nhrp map multicast dynamic
ip nhrp map multicast 10.0.0.10
ip nhrp map 20.0.0.1 10.0.0.10
ip nhrp network-id 10
ip nhrp nhs 20.0.0.1
ip nhrp group vpn_group
tunnel source Loopback100
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile vpn_x

MHM Cisco World
VIP
VIP
In response to kwojtyra

‎01-30-2024 03:39 AM

Oh' ok 

Hub is old and use dh group 2 

New spoke use dh group 24 

It same issue you must match dh group' 

The issue is dh group 2 is remove from new router. So same as I mention befor' contact hub admin ask him for dh group hub support.

Then after agree in specific value  make him add new isakmp policy for this new dh group' and use same value in your new spoke router.

For ip nhrp group I will check and update you' can I know what is platform and ver of your new spoke router

MHM

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-30-2024 03:42 AM

For ip nhrp group  

Use instead 

Nhrp group (without IP)

MHM

kwojtyra
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 03:46 AM

Thank's we will try

0 Helpful
Customers Also Viewed These Support Documents