DMVPN Tunnel gets routing info from VRF of source int "g0/0"?

jmaxwellUSAF · ‎08-18-2023

Hello.

DMVPN spoke int tu10 is stuck in NHRP state. Troubleshooting has been fruitless.

Suspect is the VRF design.

Tunnel 10 is on vrf "RED". No routing protocol is run on this VRF, it only has a very few static routes, with a default route pointing to the www.

Does Tunnel10 get its routing info from the VRF of its source int "g0/0", or from the default vrf?

Maybe the tunnel is stuck in NHRP state because there is no routing in vrf "RED" for the tunneled LAN 192.168.1.0/24 ?

Thank you.

MHM Cisco World · ‎08-18-2023

I send you message

Rob Ingram · ‎08-18-2023

@jmaxwellUSAF I assume you mean "tunnel vrf RED" is configured under Tunnel10? That is a Frontdoor VRF, typically that is used on the outside interface, where you'd have a default route.

For the internal interface if no explict VRF is configured using "ip vrf forwarding VRFNAME" then the "global" routing table is used.

jmaxwellUSAF · ‎08-18-2023

In short, the only place the VRF is mentioned is on g0/1...

2921#sh vrf RED
Name Default RD Protocols Interfaces
RED 2:2 ipv4 Gi0/1

Does that mean the DMVPN symptom that this tunnel is stuck in NHRP state probably has nothing to do with the VRF configuration?

jmaxwellUSAF · ‎08-21-2023

As of now, I expect this symptom is caused by a licensing issue. The router is receiving tunneled packets, but not decrypting them. Syslog evidence below...

Aug 18 21:17:25.468 DEST: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Our enterprise is investigating our best option here. Readers can ignore this thread until further notice.

Thank you.

Rob Ingram · ‎08-21-2023

@jmaxwellUSAF looks like you will need the HSEC license for your router.