Hi ALL, I studying DMVPN phase 3 and would like to ask if you can answer some of my question and issue that I'm working on right now.
Description: From the topology, I have 3 sites A, B and C and all routers are DMVPN configured. From the topology also you can see that Site B and C (spoke-to-spoke) communication is working but Site A & B is not working.
In which specific database HUB stores the route information from its spoke routers ? if is based on RIB, FIB or NHRP database ? with this, HUB know where to forward the traffic and also this being use to send a redirect whenever there a better path that spoke could use.
From the topology, Site A has a preferred path from HUB perceptive which is to forward Site A lan network to another PE and not directly to HUB. With this, this affect the spoke-to-spoke communication. Could you give input about this, Does hub needs to have the best path towards to its Peer tunnel to send a redirect (related to #1)?
Can we able to run a spoke-to-spoke test between Site A and Site B using their tunnel interface IP addresses since it is directly connected and not being manipulated?
Site A - R2 (tunnel 0 - 192.168.1.10/24)
Site B - R (tunnel 0 - 192.168.1.20/24)
SiteA# ping 192.168.1.20 source 192.168.1.10
SiteA# trace 192.168.1.20 source 192.168.1.10
Result: 2hops away - HUB -> SITEB ROUTER
Same result with Siteb to Sitea ping and trace.
4. All spoke routers have IPSEC profile configured but Site A and Site B spoke-to-spoke communication unable to fully form phase2 IPSEC. All policies, attributes are the same since we cannot form an adjacency with hub if there something missing... So believe this is due to the fact we cannot form a spoke-to-spoke communication because of the preferred path? BTW im using the tunnel interfaces to test (see #3 sample).
Debug Output from SITEA router2:
46 CEST: ISAKMP-PAK: (15727):received packet from 18.104.22.168 dport 500 sport 500 INTERNET (R) QM_IDLE
46 CEST: ISAKMP: (15727):set new node 1832717634 to QM_IDLE
46 CEST: ISAKMP: (15727):processing HASH payload. message ID = 1832717634
46 CEST: ISAKMP: (15727):processing SA payload. message ID = 1832717634
I am not sure I understood all the questions but I can tell for question 1 that routing info is stored in rib, forwarding info in fib and nbma resolution in nhrp db. The redirect is sent using nhrp db.
The ping and trace from the spoke routers will always go through the hub. Nhrp redirect isn't sent for traffic sourced from spoke. Its sent for traffic routed through the spoke.
Your debugs clearly show mismatch in phase two policies. Just make sure that you are using same parameters. Sometimes there are differences in aes syntax for example, aes alone means aes-128 while in others it means aes-256. Just recheck.
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals).
At the time of this writing, ISE cann...
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials.
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!
Hope this will be helpful for everyone who is looking for Splunk in...
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.
Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach...
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 )
Also, the logging at the begging will be disabled if logging is detected for both beginning ...