Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
10
Replies

DMVPN Problem

Go to solution
sadist001
Level 1
Level 1

‎11-12-2021 04:32 AM - edited ‎11-12-2021 04:43 AM

Hello,

 

I have configured Dual Hub VPN, connection with first Hub Established successfully, but there is problem with another one.

Configuration is identical. 

 

on spoke I see next situation (show dmvpn detail):

Interface: Tunnel255
Session: [0x7F6EA7A5F8]
Session ID: 0
IKEv1 SA: local 92.51.*.*/500 remote 95.104.*.*/500 Active
Capabilities:(none) connid:1360 lifetime:19:59:36
Session ID: 0
IKEv1 SA: local 92.51.*.*/500 remote 95.104.**/500 Inactive
Capabilities:(none) connid:1359 lifetime:0
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 95.104.*.*
IPSEC FLOW: permit 47 host 92.51.*.* host 95.104.*.*
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/3576
Outbound: #pkts enc'ed 12 drop 0 life (KB/Sec) 4607998/3576
Outbound SPI : 0x7D25AF98, transform : esp-256-aes esp-sha256-hmac
Socket State: Open

 

 

On HUB Isee: 


# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 UNKNOWN 172.31.*.* IKE never IX

 

 

Where is the problem? 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sadist001
Level 1
Level 1
In response to MHM Cisco World

‎11-15-2021 07:19 AM

Yes, you are right. 

 

Problem has been solved. 

I have delete unusable IPSec profile and its helped. 

View solution in original post

0 Helpful
10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-12-2021 05:02 AM 

IKEv1 SA: local 92.51.*.*/500 remote 95.104.**/500 Inactive

how is your topology diagram, they use same link to connect to anther hub or use different Interface ?

 

Look at the good example :

 

https://knowtoshare.wordpress.com/2017/01/06/cisco-dmvpn-dual-hub-single-topology/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
sadist001
Level 1
Level 1
In response to balaji.bandi

‎11-12-2021 05:13 AM - edited ‎11-12-2021 05:21 AM

Topology is simple.

I Have 2 Hubs, each spoke mush connect to them. There are no problem with connection between Hub-1 and spoke, but connection is not establishing with Hub-2. Configuration is the same but... Same Physical Link. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to sadist001

‎11-12-2021 05:32 AM

Can you post the spoke config for both

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
sadist001
Level 1
Level 1
In response to balaji.bandi

‎11-12-2021 05:37 AM - edited ‎11-12-2021 05:57 AM

Spoke Config:

 

interface Tunnel255
description Hub_1
ip address 172.31.100.250 255.255.255.0
ip mtu 1400
ip nhrp authentication AGNHRP
ip nhrp map 172.31.100.254 95.104.*.*
ip nhrp map multicast 95.104.*.*
ip nhrp network-id 255
ip nhrp nhs 172.31.100.254
ip tcp adjust-mss 1360
tunnel source 92.51.*.*
tunnel destination 95.104.*.*
tunnel key 255
tunnel protection ipsec profile Profile-IKEv1

 

interface Tunnel254
description Hub_2
ip address 172.31.101.250 255.255.255.0
ip mtu 1400
ip nhrp authentication AGNHRP
ip nhrp map 172.31.101.254 5.10.*.*
ip nhrp map multicast 5.10.*.*
ip nhrp network-id 254
ip nhrp nhs 172.31.101.254
ip tcp adjust-mss 1360
tunnel source 92.51.*.*
tunnel destination 5.10.*.*
tunnel key 254
tunnel protection ipsec profile Profile-IKEv1

 

Hub 1 Config:

 

interface Tunnel255
description Hub_1
ip address 172.31.100.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication AGNHRP
ip nhrp network-id 255
ip tcp adjust-mss 1360
tunnel source 95.104.*.*
tunnel mode gre multipoint
tunnel key 255
tunnel protection ipsec profile Profile-IKEv1

 

Hub 2 Config:

interface Tunnel254
description Hub_2
ip address 172.31.101.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication AGNHRP
ip nhrp map multicast dynamic
ip nhrp network-id 254
ip tcp adjust-mss 1360
tunnel source 5.10.*.*
tunnel mode gre multipoint
tunnel key 254
tunnel protection ipsec profile Profile-IKEv1
end

 

Hub-1 is ISR4431, Hub-2 is ISR4331. 

Spoke is 1100. 

 

There is no ip nhrp map multicast dynamic command on Hub-1 because its implicity command. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-12-2021 05:03 AM

use share as a IPSec profile.

0 Helpful

Go to solution
sadist001
Level 1
Level 1
In response to MHM Cisco World

‎11-12-2021 05:15 AM

As I know shared profile uses when source is Interface, not IP Address. As source I use IP Address.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sadist001

‎11-15-2021 06:16 AM

As I know tunnel source be ip address or interface because it same for two tunnel then the IPSec shared must be used.

0 Helpful

Go to solution
sadist001
Level 1
Level 1
In response to MHM Cisco World

‎11-15-2021 07:19 AM

Yes, you are right. 

 

Problem has been solved. 

I have delete unusable IPSec profile and its helped. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sadist001

‎11-16-2021 04:03 AM

you are so welcome friend.

0 Helpful

Go to solution
sadist001
Level 1
Level 1

‎11-14-2021 11:12 PM

any ideas?

0 Helpful
Customers Also Viewed These Support Documents