07-07-2013 05:24 PM - edited 02-21-2020 07:00 PM
I am trying to establish a DMVPN tunnel from a new router that we setup in a remote location. We already have a hub and several other remote locations that work correctly. I can ping across to another remote site, but I do not see the correct address show up when I do a "show dmvpn." The SA also does not appear when I do a "show crypto isakmp sa."
UARouter#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 63.162.52.254 172.19.1.1 UP 1d10h S
I then do a ping to a remote machine.
UARouter#ping 192.168.2.40 source loopback 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.40, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 352/353/356 ms
UARouter#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 63.162.52.254 172.19.1.1 UP 1d10h S
172.19.1.2 UP 00:00:32 D
It does not seem to resolve to the actual peer NBMA address 203.98.212.254, but instead resolved back to the hub.
UARouter#show ip nh
UARouter#show ip nhrp bri
Target Via NBMA Mode Intfc Claimed
172.19.1.1/32 172.19.1.1 63.162.52.254 static Tu0 < >
172.19.1.2/32 172.19.1.2 63.162.52.254 dynamic Tu0 < >
UARouter#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
63.162.52.254 109.237.82.114 QM_IDLE 1003 ACTIVE
Here is the result from a different router that works.
TaiwanRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:8,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 63.162.52.254 172.19.1.1 UP 1w4d S
1 203.98.212.254 172.19.1.2 UP 1w4d D
<some entries removed>
TaiwanRTR#show ip nhrp bri
Target Via NBMA Mode Intfc Claimed
172.19.1.1/32 172.19.1.1 63.162.52.254 static Tu0 < >
172.19.1.2/32 172.19.1.2 203.98.212.254 dynamic Tu0 < >
Here are the DMVPN configs. They are the same except for the ip address and the fact that I can't use the no ip mroute-cache command due to it being deprecated on the new router since we are using a newer IOS. I also use the interface directly instead of a loopback. The loopback on the TawainRTR is a public IP.
UA Router
interface Tunnel0
bandwidth 1000
ip address 172.19.1.12 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication <removed>
ip nhrp map 172.19.1.1 63.162.52.254
ip nhrp map multicast 63.162.52.254
ip nhrp network-id 1000000
ip nhrp holdtime 600
ip nhrp nhs 172.19.1.1
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DMVPN shared
TaiwanRTR
interface Tunnel0
bandwidth 1000
ip address 172.19.1.6 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication <removed>
ip nhrp map 172.19.1.1 63.162.52.254
ip nhrp map multicast 63.162.52.254
ip nhrp network-id 1000000
ip nhrp holdtime 600
ip nhrp nhs 172.19.1.1
ip tcp adjust-mss 1360
no ip mroute-cache
delay 1000
tunnel source Loopback2
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DMVPN shared
end
On both devices we use the same crypto map settings. We use certificates instead of pre-shared keys.
crypto isakmp policy 1
encr 3des
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set myset
Does anyone have any ideas what might be going on?
Solved! Go to Solution.