Re: DMVPN: Tunnel in NHRP state

lap · ‎09-25-2012

Hi all,

I have a question regarding NHRP state on a DMVPN spoke router:

Interface: Tunnel1, IPv4 NHRP Details

Type:Spoke, NHRP Peers:10,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

7 0.0.0.0 10.128.13.13 NHRP never IX

0 0.0.0.0 10.128.104.1 NHRP never IX

0 0.0.0.0 10.128.104.12 NHRP never IX

0 0.0.0.0 10.128.104.31 NHRP never IX

0 0.0.0.0 10.128.104.40 NHRP never IX

0 0.0.0.0 10.128.105.1 NHRP never IX

0 0.0.0.0 10.128.254.42 NHRP never IX

2 194.228..X.X 10.128.254.73 UP 00:01:16 D

10.128.254.73 UP 00:01:16 D

2 80.120..X.X 10.128.254.4 UP 00:01:35 D

10.128.254.4 UP 00:01:35 D

2 194.228.X.X 10.128.254.72 UP 00:01:15 D

10.128.254.72 UP 00:01:15 D

2 87.229.X.X 10.128.254.45 UP 00:01:37 DN

10.128.254.45 UP 00:01:37 DN

The 10.128.254.0/24 subnet is the DMVPN network and therefore all spokes/Hubs tunnel interface have an IP in this range. What I don´t understand is why there are some NHRP entry (see in red) with an Tunnel peer address which is not in the Tunnel subnet range 10.128.254.0/24 for example 10.128.13.13 or 10.128.104.1?

Another question is why there is 2 NHRP entries per peer NBMA?

Thanks for your help.

Regards,

Laurent

lap · ‎10-01-2012

Hi,

Anyone has a good guess?

Regards,

Laurent

lap · ‎01-14-2013

Any update on this topic?

Regards,

Laurent

Rudy Sanjoko · ‎01-14-2013

Looking at the state attributes of those in red, it is saying that those tunnels are incomplete. You can use debug dmvpn, debug nhrp error and debug nhrp condition to troubleshoot where that tunnels came from and why it's not established properly. You can also refer to this link from Cisco for more information regarding DMVPN.

lap · ‎01-14-2013

Thanks for you reply.

What is strange is that these IP addresses are host addresses of other DMVPN locations. It should be the destination tunnel IP of the DMVPN location instead.

Regards,

Laurent

Rudy Sanjoko · ‎01-14-2013

that is true, it should be the IP address of the destination tunnel IP address, have you verified your NHRP configuration? are you able to get any interesting logs from above debug commands?

billu17 · ‎06-29-2018

Hey,

Either its due to misconfiguration or due to unknown behavior the spoke is not able to create nhrp with the spokes you referred in multiple entries.

You can try to clear IP nhrp multiple time.

The multiple entries mean, to reach those nhrp your spoke has to go always hub and down to the other spoke.

ERIK S · ‎08-01-2018

I was having the same issue on my Dual Hub Single Cloud. The issue was HUB2 was failing to register to HUB1's NHRP table after HUB 1 had its Tunnel shutdown and then brought. Only solution I have found is shutting Hub 2's Tunnel Interface and then bring it up. If I did not perform this task all spoke would be able to reach both hubs but the Hubs' traffic would traverse over a site-to-site which was going over the internet instead of the DMVPN tunnel which was using VPLS.

Did you figure something else out? I am curious to find out what exactly is causing this behavior.

jordnael · ‎08-13-2023

Hello, as I stuck in the same issue, let me contribute with you.

at beginning the spoke (AS-50000) was in the same status with the HUB.
Debugging ikev2 at spoke side, I got the message " Initial exchange failed"
I found some misconfiguration in ipsec - due to an old ipsec config - so I deleted, and configured tunnel protection again.
Eventually, the tunnel with tunnel protection got UP
In this case the issue was relate to IKEv2.

Below, some excerpts (before and after)

/////////////////////////////////////////////////////////////////////////////////////
HUB-DMVPN#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 165.0.0.2 192.168.0.2 UP 00:10:19 D
0 UNKNOWN 192.168.0.3 NHRP never IX

AS-50000#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 170.170.136.2 192.168.0.1 IKE 00:09:41 S
0 UNKNOWN 192.168.0.2 NHRP never IX

.....
Aug 14 00:54:04.609: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 170.170.136.2:500/From 155.0.0.2:500/VRF i0:f0]
Initiator SPI : C8BF855AC6D96BF9 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Aug 14 00:54:04.609: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 170.170.136.2:500/To 155.0.0.2:500/VRF i0:f0]
Initiator SPI : C8BF855AC6D96BF9 - Responder SPI : AA22EA7E25B724FF Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)

Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):: Received no proposal chosen notify
Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):Failed SA init exchange
Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):Initial exchange failed: Initial exchange failed
AS-50000#
Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
Aug 14 00:54:04.675: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

AS-50000#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 170.170.136.2 192.168.0.1 UP 00:00:43 S
1 165.0.0.2 192.168.0.2 UP 00:00:42 D

HUB-DMVPN#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 165.0.0.2 192.168.0.2 UP 00:50:04 D
1 155.0.0.2 192.168.0.3 UP 00:00:05 D