DMVPN / NHRP Problem

Elton Babcock · ‎03-26-2013

We are using DMVPN / NHRP for our spoke to hub connectivity. We are using this setup in phase 1 as no spokes can connect directly to each other. The spokes have a DMVPN build to 2 ASR routers, one in the data center and one in the DR site.

Recently two spokes lost their connection to the DR ASR with no configuration change on either end. All other spokes are able to connect to the HUB ASR with no issues. These 2 problematic spoke routers can connect to our main datacenter ASR with no issues.

Things I have tried.

1. Bouncing the tunnel interfaces on both ends.

2. Removing and re-adding the tunnel configuration on both ends.

3. Clearing the DMVPN sessions on both ends.

4. Clearing the NHRP cache on the HUB router.

The crypto session is UP-ACTIVE so phase 1 and phase 2 are completing but it appears that no ESP packets are being decapsulted on the HUB from the spoke router as it never increases. It appears that the spoke isn't sending ESP traffic or it isn't reaching the HUB router somehow.

Here is the tunnel on the HUB router.

interface Tunnel2

description BBDBU TUNNEL

ip address 10.69.10.1 255.255.255.0

no ip redirects

ip mtu 1400

ip pim dr-priority 10

ip pim nbma-mode

ip pim sparse-mode

ip nhrp authentication ****************

ip nhrp map multicast dynamic

ip nhrp network-id 2811

ip nhrp holdtime 300

ip nhrp max-send 1000 every 10

ip ospf authentication-key 7 ***************

ip ospf network broadcast

ip ospf priority 2

ip ospf cost 135

tunnel source GigabitEthernet0/0/3

tunnel mode gre multipoint

tunnel key *************

tunnel protection ipsec profile PROFILE-DMVPN-TRAN

The tunnel on the spoke side.

interface Tunnel2
description Backup Tunnel
bandwidth 56
ip address 10.69.10.37 255.255.255.0
ip mtu 1400
ip flow egress
ip pim sparse-mode
ip nhrp authentication **************

ip nhrp map 10.69.10.1 *Public IP of HUB*
ip nhrp network-id 2811
ip nhrp holdtime 300
ip nhrp nhs 10.69.10.1
ip nhrp server-only
ip ospf authentication-key 7 ***************

ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination *Public IP on HUB

tunnel key ************

tunnel path-mtu-discovery
tunnel protection ipsec profile PROFILE-DMVPN-TRAN

If I do a show IP NHRP on the HUB router I get this for this spoke.

10.69.10.37/32

Tunnel2 created 00:00:34, expire 00:02:30

Type: incomplete, Flags: negative

Cache hits: 6

Doing a "show dmvpn | i 10.69.10.37

#show dmvpn | i 10.69.10.37

0 UNKNOWN 10.69.10.37 NHRP never IX

I have done a bunch of debugs on both ends and it just seems as though NHRP isnt working as it isn't resolving the public IP address of this tunnel. I just can't figure out why. If anyone has anything or ever experienced this before please help me out. Any ideas are helpful at this point.

Thanks,

johnlloyd_13 · ‎03-26-2013

hi elton,

could you post the output of show ip nhrp nhs detail and debug nhrp packet from the problematic spokes?

Elton Babcock · ‎03-26-2013

Funny thing is this just came back up on its own just after I posted this. It has been down for over 4 days and both spoke routers came back at the same time. I don't think I will ever be able to pinpoint what happened. I have a feeling it may have been on the ISP side. Thanks for the assistance anyways. I logged into the spoke and saw the right output when I issued "show ip nhrp nhs detail" and I thought I was on the wrong router.

I guess i'll never know.

johnlloyd_13 · ‎03-26-2013

cool! im glad it's now up. just a quick tip and to verify that GRE tunnel is passing traffic, just use the ping command and specify the tunnel IP address.

please rate the post if it helps you. thanks!