cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4288
Views
0
Helpful
2
Replies

DMVPN tunnel not establishing - NHRP incorrect address

mannatech
Level 1
Level 1

I am trying to establish a DMVPN tunnel from a new router that we setup in a remote location. We already have a hub and several other remote locations that work correctly. I can ping across to another remote site, but I do not see the correct address show up when I do a "show dmvpn." The SA also does not appear when I do a "show crypto isakmp sa."

UARouter#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 63.162.52.254        172.19.1.1    UP    1d10h     S

I then do a ping to a remote machine.

UARouter#ping 192.168.2.40 source loopback 5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.40, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 352/353/356 ms

UARouter#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     2 63.162.52.254        172.19.1.1    UP    1d10h     S

                                    172.19.1.2    UP 00:00:32     D

It does not seem to resolve to the actual peer NBMA address 203.98.212.254, but instead resolved back to the hub.

UARouter#show ip nh

UARouter#show ip nhrp bri

   Target             Via            NBMA           Mode   Intfc   Claimed

172.19.1.1/32        172.19.1.1      63.162.52.254   static   Tu0     <   >

172.19.1.2/32        172.19.1.2      63.162.52.254   dynamic  Tu0     <   >

UARouter#show cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

63.162.52.254   109.237.82.114  QM_IDLE           1003 ACTIVE

Here is the result from a different router that works.

TaiwanRTR#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:8,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1   63.162.52.254      172.19.1.1    UP     1w4d     S

     1  203.98.212.254      172.19.1.2    UP     1w4d     D

<some entries removed>

TaiwanRTR#show ip nhrp bri

   Target             Via            NBMA           Mode   Intfc   Claimed

172.19.1.1/32        172.19.1.1      63.162.52.254   static   Tu0     <   >

172.19.1.2/32        172.19.1.2      203.98.212.254  dynamic  Tu0     <   >

Here are the DMVPN configs. They are the same except for the ip address and the fact that I can't use the no ip mroute-cache command due to it being deprecated on the new router since we are using a newer IOS. I also use the interface directly instead of a loopback. The loopback on the TawainRTR is a public IP.

UA Router

interface Tunnel0

bandwidth 1000

ip address 172.19.1.12 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication <removed>

ip nhrp map 172.19.1.1 63.162.52.254

ip nhrp map multicast 63.162.52.254

ip nhrp network-id 1000000

ip nhrp holdtime 600

ip nhrp nhs 172.19.1.1

ip tcp adjust-mss 1360

delay 1000

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN shared

TaiwanRTR

interface Tunnel0

bandwidth 1000

ip address 172.19.1.6 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication <removed>

ip nhrp map 172.19.1.1 63.162.52.254

ip nhrp map multicast 63.162.52.254

ip nhrp network-id 1000000

ip nhrp holdtime 600

ip nhrp nhs 172.19.1.1

ip tcp adjust-mss 1360

no ip mroute-cache

delay 1000

tunnel source Loopback2

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN shared

end

On both devices we use the same crypto map settings. We use certificates instead of pre-shared keys.

crypto isakmp policy 1

encr 3des

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set myset

Does anyone have any ideas what might be going on?

1 Accepted Solution

Accepted Solutions