Hello Community,
I am struggling with TRUSTSEC config on DMVPN routers.
I've tried to follow config guides and CTS activation on DMVPN Hubs/Spokes seems to be pretty easy, just 2 commands to go for SGT inline tagging propagation:
- enable IKEv2 CTS capability negotiation in global mode (crypto ikev2 cts sgt)
- enable inline tagging on tunnel interface (cts sgt inline)
Problem is following:
When I issue "crypto ikev2 cts sgt" command on DMVPN Hubs, I cannot register new DMVPN Spokes, while already registered DMVPN Spokes remain active, but without IKEv2 CTS capabilities negotiated (necessary for inline SGT propagation). To force a new IKEv2 negotiation, it's necessary to bounce at least tunnel interface on a Spoke to initiate a new IKEv2/IPSEC negotiation. After that action given Spoke can't register to Hubs anymore. It seems that NHRP registration process is somehow corrupted. When I bounce Tunnel ifaces on Hubs, all previously registered Spokes are lost. All IKEv2/IPSEC security associations between Hubs and Spokes are established with CTS capabilities, but DMVPN cloud is broken. Not sure, whether I miss something important on Hubs or whether I just hit some IOS-XE bug.
Without TRUSTSEC, my DMVPN cloud (Phase 3) works as expected, no issue with routing or IPSEC protection.
My goal is to propagate SGT tag from LAN infrastructure in central site to branches and vice versa over DMVPN without SXP usage between Hubs and Branch devices (routers or LAN switches).
Current TRUSTSEC setup on Central site LAN
- inline tagging between access and distribution
- SXP between distribution and DMVPN Hubs (Core does not support inline tagging)
Hubs - ASR1001X, AES, Fuji 16.9.3
Spokes - ISR 1111X-8P, Base+Sec+App, Fuji 16.9.3
I haven't provided more details since I would like to know for beginning if there is any basic limitation of my intent.
I can provide more details later.
What's the best approach to troubleshoot NHRP registration issues with IPSEC protection and CTS enabled on DMVPN Hub?
Thanks for response.
Regards
Martin
