cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6079
Views
10
Helpful
17
Replies

DMVPN tunnel stuck at NHRP state

HI Experts and friends,

We use DMVPN and Eigrp as routing protocols to Connect between sites. I am facing a peculiar issue.

The dmvpn Hub router shows tunnel up for the spoke IP  router but the spoke router is stuck in the NHRP state.

Hub:

WAN-RT-01#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override, B - BGP
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel20, IPv4 NHRP Details
Type:Hub, NHRP Peers:19,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----

1 195.73.222.85 10.0.0.11 UP 23:40:33 D

Spoke :

Type:Spoke, NHRP Peers:4,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 69.199.183.34 10.0.0.1 NHRP 23:55:25 S

Kindly help to troubleshoot the issue. I can ping the public IP addresses of the two sites its working fine and I worked with the provider told me there is no issue between the source and the destination.

 

 

 

1 Accepted Solution

Accepted Solutions

I success get the issue, 
I do lab try 
add ACL in
add ACL out 
no success until I figure out that the issue is Spoke change the interface IP, it can if router use DHCP or Dailer interface, 
I change the interface IP of spoke and I get same issue as you
Hub show UP
spoke show NHRP 

so your problem is Spoke is change the IP
OR 
if all hub show UP and only one show NHRP, then there new NAT device add between the Spoke and Hub make Spoke IP change.

Screenshot (226).pngScreenshot (227).png

View solution in original post

17 Replies 17

we must see the config in both Spoke and HUb

HUb:
WAN-RT-01#sh run int tunnel20
Building configuration...

Current configuration : 513 bytes
!
interface Tunnel20
description DMVPN-TO-REMOTE-SITES
bandwidth 100000
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 20 35
no ip split-horizon eigrp 20
ip nhrp authentication NHRPAuth
ip nhrp network-id 20
ip nhrp redirect timeout 2
ip tcp adjust-mss 1360
ip summary-address eigrp 20 10.1.0.0 255.255.0.0
delay 1
tunnel source TenGigabitEthernet0/0/4
tunnel mode gre multipoint
tunnel key 2021
tunnel vrf INET
tunnel protection ipsec profile DMVPN-IPSEC
end

spoke :

RT02#sh run int tunnel20
Building configuration...

Current configuration : 777 bytes
!
interface Tunnel20
description TUNNEL-TO-DMVPN
bandwidth 10000
ip address 10.0.0.11 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 20 35
ip nhrp authentication NHRPAuth
ip nhrp map 10.0.0.2 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp map 10.0.0.252 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp map 10.0.0.253 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp map 10.0.0.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 20
ip nhrp nhs 10.0.0.2
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.252
ip nhrp nhs 10.0.0.253
ip tcp adjust-mss 1360
delay 6
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 2021
tunnel protection ipsec profile DMVPN-IPSEC
end

 

its happening only for one destination, other destinations its able to form DMVPN tunnel . issue is with only 10.0.0.11

yes but in spoke there are multi hub, can check if all hub stuck in same NHRP phase ?

No, only one HUb is stucking in NHRP. other hub are fine.

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 x.x.x.x 10.0.0.1 NHRP 23:55:25 S
1 x.x.x.x 10.0.0.2 UP 23:55:31 S
1 x.x.x.x 10.0.0.252 UP 23:55:31 S
1 x.x.x.x 10.0.0.253 UP 23:55:31 S

let me more check 

you run IPsec, and I dont see IKE state, and you have many hub in each spoke tunnel
I think what you missing is word 
shared with ipsec profile under spoke tunnel 

Hi, this link was working previously. all of sudden this is not working now

in spoke 
show dmvpn detail <<- share it here 

show dmvpn detail <<- this give more info. about your case 

 

Screenshot (225).png

yes, i tried but still not able to find any issue

Share the output if you can 

atsynch
Level 1
Level 1

If a DMVPN tunnel is stuck at the NHRP (Next Hop Resolution Protocol) state, it means that the tunnel is not able to resolve the next hop IP address of the remote endpoint. This can occur due to several reasons, such as incorrect configuration of the NHRP network, missing routing information, or issues with the underlying physical network.

Troubleshooting steps include:

Verify the NHRP configuration on both ends of the tunnel and ensure that they match.
Check the routing table on both routers to ensure that the correct routes are being advertised.
Verify that the underlying physical network is functioning properly and that there are no connectivity issues.
Check for any firewalls or access-lists that might be blocking NHRP traffic.
If all of the above is correct, then check the debug and syslog for more information about the issue.

Hello
You usually see that state for the secondary HUB which part of a HUB/Spoke resiliency.
On the spoke  Sh ip nhrp , you may see the NBMA address for that hub is a (no socket) state


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: