08-18-2023 06:11 AM - edited 08-18-2023 06:12 AM
Hello.
DMVPN spoke int tu10 is stuck in NHRP state. Troubleshooting has been fruitless.
Suspect is the VRF design.
Tunnel 10 is on vrf "RED". No routing protocol is run on this VRF, it only has a very few static routes, with a default route pointing to the www.
Does Tunnel10 get its routing info from the VRF of its source int "g0/0", or from the default vrf?
Maybe the tunnel is stuck in NHRP state because there is no routing in vrf "RED" for the tunneled LAN 192.168.1.0/24 ?
Thank you.
08-18-2023 06:17 AM
I send you message
08-18-2023 06:46 AM
@jmaxwellUSAF I assume you mean "tunnel vrf RED" is configured under Tunnel10? That is a Frontdoor VRF, typically that is used on the outside interface, where you'd have a default route.
For the internal interface if no explict VRF is configured using "ip vrf forwarding VRFNAME" then the "global" routing table is used.
08-18-2023 07:05 AM
In short, the only place the VRF is mentioned is on g0/1...
2921#sh vrf RED
Name Default RD Protocols Interfaces
RED 2:2 ipv4 Gi0/1
Does that mean the DMVPN symptom that this tunnel is stuck in NHRP state probably has nothing to do with the VRF configuration?
08-21-2023 07:16 AM
As of now, I expect this symptom is caused by a licensing issue. The router is receiving tunneled packets, but not decrypting them. Syslog evidence below...
Aug 18 21:17:25.468 DEST: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Our enterprise is investigating our best option here. Readers can ignore this thread until further notice.
Thank you.
08-21-2023 10:14 AM
@jmaxwellUSAF looks like you will need the HSEC license for your router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide