Solved: DMVPN tunnel phase 1 failure multiple spoke

bbaker@cccahealth.com · ‎09-16-2018

So i have a existing and in production DMVPN provided via vpls from ISP 1 with 8 spokes. I have a new vpls circuit from ISP 2 that i and trying build tunnels for to migrate over to in the coming weeks. I am using the same transformation set from the existing tunnels. On ISP2 i can only ever get one hub to connect to the tunnel all other hubs continue to fail on phase one.

@ HUB

crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 10
crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association lifetime seconds 1800
set transform-set DMVPN
set pfs group2

interface Tunnel1
bandwidth 1000
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 300
ip flow ingress
ip flow egress
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 300
delay 1000
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 677067637
tunnel protection ipsec profile DMVPN
!
!
interface Tunnel2
ip address 10.253.253.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 300
ip flow ingress
ip flow egress
ip nhrp map multicast dynamic
ip nhrp network-id 2
no ip split-horizon eigrp 300
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 568749358
tunnel protection ipsec profile DMVPN

interface GigabitEthernet0/0
description Inside
ip address 10.100.0.39 255.255.252.0
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description VPLS ISP 2
ip address 10.100.25.2 255.255.255.252
duplex auto
speed auto

!
interface GigabitEthernet0/2
description VPLS ISP1
ip address 10.100.20.2 255.255.255.252
duplex auto
speed auto

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.100.20.2     10.100.20.26    QM_IDLE           9004 ACTIVE
10.100.20.2     10.100.20.6     QM_IDLE           9006 ACTIVE
10.100.25.2     10.100.25.22    MM_SA_SETUP          0 ACTIVE
10.100.25.2     10.100.25.22    MM_NO_STATE          0 ACTIVE (deleted)
10.100.20.2     10.100.20.34    QM_IDLE           9002 ACTIVE
10.100.20.2     10.100.20.22    QM_IDLE           9009 ACTIVE
10.100.20.2     10.100.20.10    QM_IDLE           9001 ACTIVE
10.100.25.2     10.100.25.26    QM_IDLE           9005 ACTIVE
10.100.20.2     10.100.20.38    QM_IDLE           9008 ACTIVE
10.100.20.2     10.100.20.18    QM_IDLE           9007 ACTIVE
10.100.20.2     10.100.20.14    QM_IDLE           9003 ACTIVE
10.100.25.2     10.100.25.6     MM_SA_SETUP          0 ACTIVE
10.100.25.2     10.100.25.6     MM_NO_STATE          0 ACTIVE (deleted)

@ Spoke

crypto isakmp policy 1
authentication pre-share
crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set DMVPN esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association lifetime seconds 1800
set transform-set DMVPN
set pfs group2
!
!
!
!
!
!
interface Tunnel2
ip address 10.254.254.2 255.255.255.0
no ip redirects
ip hold-time eigrp 300 120
ip nhrp map multicast 10.100.20.2
ip nhrp map 10.254.254.1 10.100.20.2
ip nhrp network-id 1
ip nhrp nhs 10.254.254.1
ip nhrp server-only
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 677067637
tunnel protection ipsec profile DMVPN
!
!
interface Tunnel3
ip address 10.253.253.2 255.255.255.0
no ip redirects
ip hold-time eigrp 300 120
ip nhrp map 10.253.253.1 10.100.25.2
ip nhrp map multicast 10.100.25.2
ip nhrp network-id 2
ip nhrp nhs 10.253.253.1
ip nhrp server-only
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 568749358
tunnel protection ipsec profile DMVPN
!
!
interface GigabitEthernet0/1
description VPLS ISP 2
ip address 10.100.25.6 255.255.255.252
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
description VPLS ISP1
ip address 10.100.20.6 255.255.255.252
duplex auto
speed auto

I have reloaded my hub and every time i connect to a different spoke on the second tunnel but i can't ever get more than one to connect.

bbaker@cccahealth.com · ‎09-18-2018

I was able to get the tunnels up and working. As the isp was handing it off on layer 2 subnetting all of my interfaces on a /30 was giving me a lot of broadcast traffic on eigrp packets. I re schemed my outbound interfaces on single /24 and everything is up and up.

View solution in original post

O Bitar · ‎09-17-2018

Hi Looking quickly through your config, I do not see full isakmp policy. I believe you still need to add that.
I would also advice to create a 2nd IPSEC profile on the tunnel interfaces, or sourcing the Ipsec profiles from the same interface Ioopback if possible) and use the Shared keyword against the tunnel interface.

Regards
Omar

bbaker@cccahealth.com · ‎09-18-2018

I removed the tunnel protection to see if i could at least get the gre tunnel built and i still am only ever able to get one tunnel up at a time. It is odd.

O Bitar · ‎09-18-2018

Just to clarify, when you say 1 tunnel up do you mean 1 Spoke in a tunnel? Can you post the output of show dmvpn removing any private details

Rob Ingram · ‎09-18-2018

You have some EIGRP errors on the VPLS ISP2 interfaces:-

Sep 17 03:07:21.028: EIGRP-IPv4(300): Neighbor 10.100.25.6 not on common subnet for GigabitEthernet0/1
Sep 17 03:06:57.503: EIGRP-IPv4(300): Neighbor 10.100.25.2 not on common subnet for GigabitEthernet0/1

Is the underlaying routing working correctly? Can you confirm routing is in place and working between all routers

bbaker@cccahealth.com · ‎09-18-2018

I was able to get the tunnels up and working. As the isp was handing it off on layer 2 subnetting all of my interfaces on a /30 was giving me a lot of broadcast traffic on eigrp packets. I re schemed my outbound interfaces on single /24 and everything is up and up.