Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1476
Views
0
Helpful
3
Replies

DMVPN not working

Mike Buyarski
Level 3
Level 3

‎04-16-2013 07:01 AM - edited ‎02-21-2020 06:49 PM

Trying to setup a DMVPN on out existing equipment that is currently running all point to point vpn connections. basicly its not working. my best guess is something with the config is interfering but i'm not sure the remote router (881) is always comming back with MM_NO_STATE and the main router(2901) is either MM_NO_STATE or MM_SETUP.      I added the config for the 881, 2901 and a debug crypto isakmp and debug crypto ipsec from both routers. I have verified the Keys are correct and it is not blocking port 500. 

if i issue a sh crypto isakmp policy they are the same on both routers.  if you need me to post anything else i will, one note i removed the configs that were part of the point to point tunnls on the 2901 router.        

Labels:
15358502-2901.txt.zip
15358501-debug output.txt.zip
15358503-881.txt.zip
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-16-2013 11:58 PM

Mike,

From debugs, it looks like IKE packets (UDP/500) are never recived back from the other end.

You might want to sniff the traffic (you can use EPC on routers) to check if the packets are sent and arrive properly.

M.

0 Helpful

johnlloyd_13
Level 9
Level 9

‎04-17-2013 02:04 AM

hi mike,

are both routers able to ping out? i.e. ping 8.8.8.8.

i don't see any static default route on 2901 and 881 should have ip route 0.0.0.0 0.0.0.0 dhcp.

0 Helpful

Mike Buyarski
Level 3
Level 3

‎04-17-2013 07:01 AM

yes thay can ping out, the 2901A does have a static route sorry i must of removed accidentally from the config i posted. the reason the 881 does not have dhcp for the default route is because i was forcing it out a different internet connection that what it would get via dhcp, that way the routing would not interfere with the dm tunnel. of couse later i just set a static address on the router from one of the open address we had that way i could eliminate the nat barrirer(but that had no affect same thing was happening). I then removed the ipsec encryption from the tunnel (trying to eliminate ipsec from the equation) and got many of these on the 2901A "Failed to retrieve NHRP IDB in IF ctrl check" dumbfounded so i tryed this:

 

since i was getting nowhere on that 2901 (lets call it 2901A)removed the dmvpn tunnel and recreated it on anouther 2901 (lets call that one 2901B) that was handing the other half(not really half)) of our many many point to point connections, and with a minor tweek of that ones firewall the DMVPN is working on that one. so now i have to figure out why 2901A would not allow DMVPN. If you were wondering the DMVPN config between the routers were identical. I realy would like to get DMVPN running on the 2901A since it only has 20 point to point vpn connections on it and 2901B has 34 point to point vpn connections. (if only i could convince management to get a single cisco 3925) one can dream.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents