cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3209
Views
0
Helpful
6
Replies

DMVPN Design Spoke to Spoke SA Problem

faisalvt0807
Level 1
Level 1

Hello,

DMVPN Design spoke to spoke SA is deleting and re-creating every 60 second's

can anybody help me to resolve this issue

Router log:-

Router2
-------
*Apr 18 10:53:06: %CRYPTO-4-IKMP_NO_SA: IKE message from 116.91.118.60 has no SA and is not an initialization offer
*Apr 18 10:54:06: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 116.91.118.60
*Apr 18 10:54:19: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 116.91.118.60' to manually clear IPSec SA's covered by this IKE SA.
*Apr 18 10:54:46: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 116.91.118.60' to manually clear IPSec SA's covered by this IKE SA.
*Apr 18 10:55:07: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=86.98.88.125, prot=50, spi=0xD69E7F6F(3600711535), srcaddr=116.91.118.60, input interface=Dialer1
Router3
-------
*Apr 18 06:55:34.587: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 86.98.88.125' to manually clear IPSec SA's covered by this IKE SA.
*Apr 18 06:55:58.071: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 86.98.88.125' to manually clear IPSec SA's covered by this IKE SA.

6 Replies 6

WILLIAM STEGMAN
Level 4
Level 4

Is this a new deployment?  Assuming your config matches on both sides of the tunnel, could be a bug.  Are you able to try a different IOS version?

Hi William,

This is not a new deployment. it was working properly........

Router platform Both side:-

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4, R 

Recently i have removed default route which is mapped into wan interface route and added static route

I have diverted default route(internet) through one another router which is connected directly.

this design is a hub and three spoke one of the spoke working perfectly there is no problem

Hi,

Refer the topology for a reference

Do the tunnels between Router10 and the Moscow and UAE DC hubs come up without issue? 

As I understand the topology, it looks like you have 2 hubs, UAE and Moscow, and you’re having trouble getting a spoke to spoke connection up between Japan and UAE router 10. 

Are you using DMVPN Phase 2 or Phase 3?

For review, in order for the spoke to spoke tunnel to come up, either one of the hubs needs to redirect the spoke initiating a connection to the other spoke, which is all facilitated through routing. 

Is the tunnel interface between Japan, Moscow and Spoke router 10 on the same subnet and part of a common routing process?

Which hub provides Japan Spoke’s route to the UAE spoke router 10’s networks?  

Which hub provides UAE spoke router 10’s route to the Japan Spoke’s networks? 

In your diagram, Router 10 is the only spoke with connections to both hubs.  You don’t want the spoke to spoke tunnel to be spun up by one hub in one direction, and the other hub in the return direction. 

1.Do the tunnels between Router10 and the Moscow and UAE DC hubs come up without issue? 

Ans:Yes 

2.As I understand the topology, it looks like you have 2 hubs, UAE and Moscow, and you’re having trouble getting a spoke to spoke connection up between Japan and UAE router 10. 

Ans: Yes, You got it

3.Is the tunnel interface between Japan, Moscow and Spoke router 10 on the same subnet and part of a common routing process?

Ans: Yes this is on same subnet, Routing protocol ospf process is 1 and its advertised through ospf with same area0

4.Which hub provides Japan Spoke’s route to the UAE spoke router 10’s networks?  

Ans: UAE DC HUB but now i made static route through UAE Spoke router55 becuase of vpn disconnecting every 60 seconds,

5.Which hub provides UAE spoke router 10’s route to the Japan Spoke’s networks? 

Ans:Same, UAE DC HUB but now i made static route through UAE Spoke router55 becuase of vpn disconnecting every 60 seconds,

6.In your diagram, Router 10 is the only spoke with connections to both hubs.  You don’t want the spoke to spoke tunnel to be spun up by one hub in one direction, and the other hub in the return direction. 

Ans: No in my diagram both router10 and router21 have connection with moscow and UAE-DC Hub, yes i don't really need but i should do some static routing to divert traffic but it's uncomfortable for me , as the feature of DMVPN spoke to spoke should made a dynamic VPN 

I don't think the spoke to spoke traffic between Japan and UAE router 10 will come up if the path between them includes UAE router 55.  Your spokes shouldn't be used as transit routers.  That may be the issue.  You have a physical link between routers 10 and 55 (non DMVPN).  Have you tried filtering on that link so that WAN networks aren't communicated via that link?