Solved: DMVPN tunnel stuck at NHRP state

prakashrajasekaran2807 · ‎01-18-2023

HI Experts and friends,

We use DMVPN and Eigrp as routing protocols to Connect between sites. I am facing a peculiar issue.

The dmvpn Hub router shows tunnel up for the spoke IP router but the spoke router is stuck in the NHRP state.

Hub:

WAN-RT-01#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override, B - BGP
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel20, IPv4 NHRP Details
Type:Hub, NHRP Peers:19,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----

1 195.73.222.85 10.0.0.11 UP 23:40:33 D

Spoke :

Type:Spoke, NHRP Peers:4,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 69.199.183.34 10.0.0.1 NHRP 23:55:25 S

Kindly help to troubleshoot the issue. I can ping the public IP addresses of the two sites its working fine and I worked with the provider told me there is no issue between the source and the destination.

MHM Cisco World · ‎01-20-2023

I success get the issue,
I do lab try
add ACL in
add ACL out
no success until I figure out that the issue is Spoke change the interface IP, it can if router use DHCP or Dailer interface,
I change the interface IP of spoke and I get same issue as you
Hub show UP
spoke show NHRP

so your problem is Spoke is change the IP
OR
if all hub show UP and only one show NHRP, then there new NAT device add between the Spoke and Hub make Spoke IP change.

View solution in original post

MHM Cisco World · ‎01-18-2023

we must see the config in both Spoke and HUb

prakashrajasekaran2807 · ‎01-18-2023

HUb:
WAN-RT-01#sh run int tunnel20
Building configuration...

Current configuration : 513 bytes
!
interface Tunnel20
description DMVPN-TO-REMOTE-SITES
bandwidth 100000
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 20 35
no ip split-horizon eigrp 20
ip nhrp authentication NHRPAuth
ip nhrp network-id 20
ip nhrp redirect timeout 2
ip tcp adjust-mss 1360
ip summary-address eigrp 20 10.1.0.0 255.255.0.0
delay 1
tunnel source TenGigabitEthernet0/0/4
tunnel mode gre multipoint
tunnel key 2021
tunnel vrf INET
tunnel protection ipsec profile DMVPN-IPSEC
end

spoke :

RT02#sh run int tunnel20
Building configuration...

Current configuration : 777 bytes
!
interface Tunnel20
description TUNNEL-TO-DMVPN
bandwidth 10000
ip address 10.0.0.11 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 20 35
ip nhrp authentication NHRPAuth
ip nhrp map 10.0.0.2 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp map 10.0.0.252 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp map 10.0.0.253 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp map 10.0.0.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 20
ip nhrp nhs 10.0.0.2
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.252
ip nhrp nhs 10.0.0.253
ip tcp adjust-mss 1360
delay 6
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 2021
tunnel protection ipsec profile DMVPN-IPSEC
end

prakashrajasekaran2807 · ‎01-18-2023

its happening only for one destination, other destinations its able to form DMVPN tunnel . issue is with only 10.0.0.11

MHM Cisco World · ‎01-18-2023

yes but in spoke there are multi hub, can check if all hub stuck in same NHRP phase ?

prakashrajasekaran2807 · ‎01-18-2023

No, only one HUb is stucking in NHRP. other hub are fine.

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 x.x.x.x 10.0.0.1 NHRP 23:55:25 S
1 x.x.x.x 10.0.0.2 UP 23:55:31 S
1 x.x.x.x 10.0.0.252 UP 23:55:31 S
1 x.x.x.x 10.0.0.253 UP 23:55:31 S

MHM Cisco World · ‎01-18-2023

let me more check

MHM Cisco World · ‎01-18-2023

you run IPsec, and I dont see IKE state, and you have many hub in each spoke tunnel
I think what you missing is word
shared with ipsec profile under spoke tunnel

prakashrajasekaran2807 · ‎01-18-2023

Hi, this link was working previously. all of sudden this is not working now

MHM Cisco World · ‎01-18-2023

in spoke
show dmvpn detail <<- share it here

MHM Cisco World · ‎01-18-2023

show dmvpn detail <<- this give more info. about your case

prakashrajasekaran2807 · ‎01-18-2023

yes, i tried but still not able to find any issue

MHM Cisco World · ‎01-19-2023

Share the output if you can

atsynch · ‎01-18-2023

If a DMVPN tunnel is stuck at the NHRP (Next Hop Resolution Protocol) state, it means that the tunnel is not able to resolve the next hop IP address of the remote endpoint. This can occur due to several reasons, such as incorrect configuration of the NHRP network, missing routing information, or issues with the underlying physical network.

Troubleshooting steps include:

Verify the NHRP configuration on both ends of the tunnel and ensure that they match.
Check the routing table on both routers to ensure that the correct routes are being advertised.
Verify that the underlying physical network is functioning properly and that there are no connectivity issues.
Check for any firewalls or access-lists that might be blocking NHRP traffic.
If all of the above is correct, then check the debug and syslog for more information about the issue.

paul driver · ‎01-18-2023

Hello
You usually see that state for the secondary HUB which part of a HUB/Spoke resiliency.
On the spoke Sh ip nhrp , you may see the NBMA address for that hub is a (no socket) state

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul