dmvpn issue. Tunnel up; but could not reach tunnel ip

J_Vansen_S · ‎09-26-2011

Hi All;

Problem Statement

-Spoke and Hub manage to establish tunnel UP; but unable to ping to each other’s tunnel interface IP, Resulting in EIGRP routes not converging.

-Configured the exact setup in GNS lab environment; all working fine. But on live network; failed to work.

-Isakmp phase 1 seems to establish fine, ipsec we are seeing some pkts encaps; unfortunately 0 packets for decaps.

-Unable to ping each other tunnel internet ip 192.168.0.1(hub) & 192.168.0.12(spoke)

The GRE DmVpn is traversing thru diff ISP. Would it be some firewall rules blocking our traffic?

We have requested for ISP to open any any; particularly port 500 and 50. Is there any other special ports to be opened?

Would appreciate if anyone may provide some pointers.

SPOKE#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.240.141.31 10.174.224.34 QM_IDLE 1037 ACTIVE

10.240.141.31 10.174.224.34 MM_NO_STATE 1036 ACTIVE (deleted)

SPOKE#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 10.174.224.34

protected vrf: (none)

local ident (addr/mask/prot/port): (10.174.224.34/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (10.240.141.31/255.255.255.255/47/0)

current_peer 10.240.141.31 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 764, #pkts encrypt: 764, #pkts digest: 764

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 25, #recv errors 0

SPOKE#show ip nhrp nhs detail

Legend: E=Expecting replies, R=Responding

Tunnel0:192.168.0.1 E req-sent 205 req-failed 0 repl-recv 0

SPOKE#show ip route

Gateway of last resort is 10.174.224.33 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.174.224.33

10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks

C 10.174.64.0/23 is directly connected, GigabitEthernet0/1

L 10.174.65.254/32 is directly connected, GigabitEthernet0/1

C 10.174.224.32/30 is directly connected, GigabitEthernet0/0

L 10.174.224.34/32 is directly connected, GigabitEthernet0/0

192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.0.0/24 is directly connected, Tunnel0

L 192.168.0.12/32 is directly connected, Tunnel0

HUB

crypto isakmp policy 1

authentication pre-share

crypto isakmp XXXXXXX address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set transet esp-aes 256 esp-md5-hmac

mode transport

!

crypto ipsec profile dmvpn

set transform-set transet

!

interface Tunnel0

bandwidth 1000

ip address 192.168.0.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 600

no ip split-horizon eigrp 1

delay 1000

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile dmvpn

!

router eigrp 1

network 10.174.61.0 0.0.0.63

network 192.168.0.0

redistribute static

!

ip route 0.0.0.0 0.0.0.0 10.240.141.1

SPOKE

crypto isakmp policy 1

authentication pre-share

crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set transet esp-aes 256 esp-md5-hmac

mode transport

!

crypto ipsec profile dmvpn

set transform-set transet

!

interface Tunnel0

bandwidth 1000

ip address 192.168.0.12 255.255.255.0

ip mtu 1400

ip nhrp authentication test

ip nhrp map 192.168.0.1 10.240.141.31

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs 192.168.0.1

delay 1000

tunnel source GigabitEthernet0/0

tunnel destination 10.240.141.31

tunnel key 100000

tunnel protection ipsec profile dmvpn

router eigrp 1

network 10.174.64.0 0.0.1.255

network 192.168.0.0

ip route 0.0.0.0 0.0.0.0 10.174.224.33

Marcin Latosiewicz · ‎09-26-2011

I guess you didn't check state of NHRP on hub? :-)

You're for sure mmissing multicast NHRP map on spoke. From there check NHRP on hub I guess you will not see entry for this hub.

You need to pass UDP/500 and UDP/4500 (if spoke is behind NAT) and ESP/AH (IP protocol 50/51) depending on what is configured.

M.

J_Vansen_S · ‎09-26-2011

Hi Marcin;

Thanks alot for your reply.

Yes; i did check the nhrp on the hub; it turns out NILL sometimes and sometimes it came up with some entries

SPOKE1#show ip nhrp detail

192.168.0.1/32

Tunnel0 created 00:02:30, expire 00:00:34

Type: incomplete, Flags: negative

Cache hits: 2

192.168.0.12/32

Tunnel0 created 00:02:26, expire 00:00:38

Type: incomplete, Flags: negative

Cache hits: 7

EGNC_RBPF_HUB1#show ip nhrp detail

192.168.0.1/32

Tunnel0 created 00:02:38, expire 00:00:26

Type: incomplete, Flags: negative

Cache hits: 2

HUB1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.240.141.31 10.174.224.34 QM_IDLE 9046 ACTIVE

10.240.141.31 10.174.224.34 MM_NO_STATE 9045 ACTIVE (deleted)

Are you saying that i am missing the command ip nhrp map multicast on my spoke? If that is so; ill give it a try.

Any other points that i am missing? apart from the nhrp map multicast on the spoke and allowing port 500,4500,50&51

i am using the IOS15; is there a difference to it? or some kind of bug?

I did similar setup on GNS using 12.4IOS seems to be working fine

Regards: Jocelyn

Marcin Latosiewicz · ‎09-27-2011

Jocelyn,

I think it's too early to say whether this is a bug.

Let's first configure the Mcast mapping:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1045062

Looking at your config it should be something like:

ip nhrp map multicast 10.240.141.31

You will notice that your NHRP mapping on hubs are "incomplete".

You might want to try to debug NHRP on the hub to see if there is something I didn't get at first glance.

debug nhrp packet

debug nhrp ext

debug nhrp err

Are the minimum :-)

Marcin