04-16-2013 07:01 AM - edited 02-21-2020 06:49 PM
Trying to setup a DMVPN on out existing equipment that is currently running all point to point vpn connections. basicly its not working. my best guess is something with the config is interfering but i'm not sure the remote router (881) is always comming back with MM_NO_STATE and the main router(2901) is either MM_NO_STATE or MM_SETUP. I added the config for the 881, 2901 and a debug crypto isakmp and debug crypto ipsec from both routers. I have verified the Keys are correct and it is not blocking port 500.
if i issue a sh crypto isakmp policy they are the same on both routers. if you need me to post anything else i will, one note i removed the configs that were part of the point to point tunnls on the 2901 router.
04-16-2013 11:58 PM
Mike,
From debugs, it looks like IKE packets (UDP/500) are never recived back from the other end.
You might want to sniff the traffic (you can use EPC on routers) to check if the packets are sent and arrive properly.
M.
04-17-2013 02:04 AM
hi mike,
are both routers able to ping out? i.e. ping 8.8.8.8.
i don't see any static default route on 2901 and 881 should have ip route 0.0.0.0 0.0.0.0 dhcp.
04-17-2013 07:01 AM
yes thay can ping out, the 2901A does have a static route sorry i must of removed accidentally from the config i posted. the reason the 881 does not have dhcp for the default route is because i was forcing it out a different internet connection that what it would get via dhcp, that way the routing would not interfere with the dm tunnel. of couse later i just set a static address on the router from one of the open address we had that way i could eliminate the nat barrirer(but that had no affect same thing was happening). I then removed the ipsec encryption from the tunnel (trying to eliminate ipsec from the equation) and got many of these on the 2901A "Failed to retrieve NHRP IDB in IF ctrl check" dumbfounded so i tryed this:
since i was getting nowhere on that 2901 (lets call it 2901A)removed the dmvpn tunnel and recreated it on anouther 2901 (lets call that one 2901B) that was handing the other half(not really half)) of our many many point to point connections, and with a minor tweek of that ones firewall the DMVPN is working on that one. so now i have to figure out why 2901A would not allow DMVPN. If you were wondering the DMVPN config between the routers were identical. I realy would like to get DMVPN running on the 2901A since it only has 20 point to point vpn connections on it and 2901B has 34 point to point vpn connections. (if only i could convince management to get a single cisco 3925) one can dream.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide