Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2304
Views
0
Helpful
3
Replies

DMVPN tunnel up also crypto session but can't ping S2S

nabil_shokery
Level 1
Level 1

‎01-03-2014 07:08 AM - edited ‎02-21-2020 07:25 PM

Dears,

     I configures DMVPN tunnel but HUB and SPOK refer to the following configration but we can't ping tunnel IP while it is up also crypto session is active can check and guide me to know reason. (Note: I do this LAB on a GNS3)

HUB CofigurationSPOK Configuration

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 3 periodic

!

!

crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac

mode transport

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile dmvpn

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set dmvpn

!

interface Loopback0

ip address 9.9.9.9 255.255.255.255

!

interface Tunnel1

ip address 4.4.4.1 255.255.255.252

no ip redirects

ip mtu 1400

ip nhrp authentication 1

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

ip tcp adjust-mss 1300

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile dmvpn

!

interface Serial1/0

ip address 1.1.1.1 255.255.255.252

serial restart-delay 0

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 9.9.9.9

crypto isakmp keepalive 10 3 periodic

!

!

crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac

mode transport

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile dmvpn

set transform-set dmvpn

!

interface Loopback0

ip address 8.8.8.8 255.255.255.255

!

interface Tunnel1

ip address 4.4.4.2 255.255.255.252

ip mtu 1400

ip nhrp authentication 1

ip nhrp map multicast 9.9.9.9

ip nhrp map 4.4.4.1 9.9.9.9

ip nhrp network-id 1

ip nhrp holdtime 600

ip nhrp nhs 4.4.4.1

ip nhrp registration no-unique

ip tcp adjust-mss 1300

tunnel source Serial1/0

tunnel destination 9.9.9.9

tunnel key 1

tunnel protection ipsec profile dmvpn

!

interface Serial1/0

ip address 1.1.1.2 255.255.255.252

serial restart-delay 0

!

ip route 9.9.9.9 255.255.255.255 1.1.1.1

Show command for this issue as the following:

HUBSPOK

HUB#show crypto session

Crypto session current status

Interface: Tunnel1

Session status: UP-ACTIVE

Peer: 1.1.1.2 port 500

  IKE SA: local 9.9.9.9/500 remote 1.1.1.2/500 Active

  IPSEC FLOW: permit 47 host 9.9.9.9 host 1.1.1.2

        Active SAs: 2, origin: crypto map

SPOK1#show crypto session

Crypto session current status

Interface: Tunnel1

Session status: UP-ACTIVE

Peer: 9.9.9.9 port 500

  IKE SA: local 1.1.1.2/500 remote 9.9.9.9/500 Active

  IKE SA: local 1.1.1.2/500 remote 9.9.9.9/500 Inactive

  IPSEC FLOW: permit 47 host 1.1.1.2 host 9.9.9.9

        Active SAs: 2, origin: crypto map

HUB#show ip nhrp

SPOK1#sh ip nhrp

4.4.4.1/32 via 4.4.4.1, Tunnel1 created 03:46:17, never expire

  Type: static, Flags: authoritative

  NBMA address: 9.9.9.9

HUB#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        unassigned      YES unset  administratively down down

Serial1/0              1.1.1.1         YES manual up                    up

Serial1/1              2.2.2.1         YES manual up                    down

Serial1/2              unassigned      YES unset  administratively down down

Serial1/3              unassigned      YES unset  administratively down down

Serial1/4              unassigned      YES unset  administratively down down

Serial1/5              unassigned      YES unset  administratively down down

Serial1/6              unassigned      YES unset  administratively down down

Serial1/7              unassigned      YES unset  administratively down down

Loopback0              9.9.9.9         YES manual up                    up

Tunnel1                4.4.4.1         YES manual up                    up

HUB#ping 4.4.4.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

HUB#ping 4.4.4.2 so

HUB#ping 4.4.4.2 source 4.4.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.2, timeout is 2 seconds:

Packet sent with a source address of 4.4.4.1

.....

Success rate is 0 percent (0/5)

SPOK1#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        unassigned      YES unset  administratively down down

Serial1/0              1.1.1.2         YES manual up                    up

Serial1/1              unassigned      YES unset  administratively down down

Serial1/2              unassigned      YES unset  administratively down down

Serial1/3              unassigned      YES unset  administratively down down

Serial1/4              unassigned      YES unset  administratively down down

Serial1/5              unassigned      YES unset  administratively down down

Serial1/6              unassigned      YES unset  administratively down down

Serial1/7              unassigned      YES unset  administratively down down

Loopback0              8.8.8.8         YES manual up                    up

Tunnel1                4.4.4.2         YES manual up                    up

SPOK1#ping 4.4.4.1 source 4.4.4.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.1, timeout is 2 seconds:

Packet sent with a source address of 4.4.4.2

.....

Success rate is 0 percent (0/5)

SPOK1#ping 9.9.9.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/72 ms

1 person had this problem
Labels:
0 Helpful
3 Replies 3

johnlloyd_13
Level 9
Level 9

‎01-03-2014 07:56 AM

Hi,

Could you post 'show run' from both Hub and Spoke routers and 'debug tunnel' and 'debug nhrp' and do ping tests again.

Make sure you're using a 7200 or 3725 in GNS3. Also, sometimes doing the setup/config again or a PC reboot helps.



Sent from Cisco Technical Support iPhone App

0 Helpful

nabil_shokery
Level 1
Level 1

‎01-03-2014 09:33 AM

Note: I use 7200

HUB configuration:

===============

R1#show running-config

Building configuration...

Current configuration : 1961 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip source-route

!

!

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 3 periodic

!

!

crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac

mode transport

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile dmvpn

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set dmvpn

!

!

!

!

!

!

interface Loopback0

ip address 9.9.9.9 255.255.255.255

!

interface Tunnel1

ip address 4.4.4.1 255.255.255.252

no ip redirects

ip mtu 1400

ip nhrp authentication 1

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

ip tcp adjust-mss 1300

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile dmvpn

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

interface Serial1/0

ip address 1.1.1.1 255.255.255.252

serial restart-delay 0

!

interface Serial1/1

ip address 2.2.2.1 255.255.255.252

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/4

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/5

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/6

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/7

no ip address

shutdown

serial restart-delay 0

!

!

!

no ip http server

no ip http secure-server

ip route 7.7.7.7 255.255.255.255 2.2.2.2

ip route 8.8.8.8 255.255.255.255 1.1.1.2

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

SPOK configuration:

================

R2#show running-config

Building configuration...

*Jan  3 19:24:40.379: NHRP: Setting cache expiry for 9.9.9.9 to 5000

Current configuration : 1908 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip source-route

!

!

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 9.9.9.9

crypto isakmp keepalive 10 3 periodic

!

!

crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac

mode transport

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile dmvpn

set transform-set dmvpn

!

!

!

!

!

!

interface Loopback0

ip address 8.8.8.8 255.255.255.255

!

interface Tunnel1

ip address 4.4.4.2 255.255.255.252

ip mtu 1400

ip nhrp authentication 1

ip nhrp map multicast 9.9.9.9

ip nhrp map 4.4.4.1 9.9.9.9

ip nhrp network-id 1

ip nhrp holdtime 600

ip nhrp nhs 4.4.4.1

ip nhrp registration no-unique

ip tcp adjust-mss 1300

tunnel source Serial1/0

tunnel destination 9.9.9.9

tunnel key 1

tunnel protection ipsec profile dmvpn

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

interface Serial1/0

ip address 1.1.1.2 255.255.255.252

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/4

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/5

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/6

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/7

no ip address

shutdown

serial restart-delay 0

!

!

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 Tunnel1

ip route 9.9.9.9 255.255.255.255 1.1.1.1

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HUB:

====

*Jan  3 19:16:24.155: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:17:17.419: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:18:10.091: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:18:17.327: NHRP: Setting cache expiry for 1.1.1.2 to 1

*Jan  3 19:19:01.019: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:19:58.759: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:20:33.851: NHRP: Setting cache expiry for 1.1.1.2 to 1

*Jan  3 19:21:02.919: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:22:02.967: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:23:02.635: NHRP: Setting cache expiry for 1.1.1.2 to 1

*Jan  3 19:23:06.815: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:24:06.235: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:24:40.203: NHRP: Setting cache expiry for 1.1.1.2 to 1

*Jan  3 19:25:09.619: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:26:02.627: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:26:44.139: NHRP: Setting cache expiry for 1.1.1.2 to 1

*Jan  3 19:26:58.987: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

*Jan  3 19:27:49.395: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

SPOK:

======

*Jan  3 19:25:08.835: NHRP: Setting retrans delay to 64 for nhs  dst 4.4.4.1

*Jan  3 19:25:08.843: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:25:08.843: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:25:08.847:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:25:08.851: NHRP: 105 bytes out Tunnel1

*Jan  3 19:25:08.855: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:25:09.511: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:25:09.515: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:25:09.519:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:25:09.523: NHRP: 105 bytes out Tunnel1

*Jan  3 19:25:09.527: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:25:09.531: Tunnel1 count tx, adding 0 encap bytes

*Jan  3 19:25:09.535: NHRP: Resetting retransmit due to hold-timer for 4.4.4.1

*Jan  3 19:26:02.579: NHRP: Setting retrans delay to 64 for nhs  dst 4.4.4.1

*Jan  3 19:26:02.583: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:26:02.587: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:26:02.591:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:26:02.595: NHRP: 105 bytes out Tunnel1

*Jan  3 19:26:02.599: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:26:02.603: Tunnel1 count tx, adding 0 encap bytes

*Jan  3 19:26:44.207: NHRP: Setting cache expiry for 9.9.9.9 to 5000

*Jan  3 19:26:58.211: NHRP: Setting retrans delay to 64 for nhs  dst 4.4.4.1

*Jan  3 19:26:58.219: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:26:58.223: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:26:58.227:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:26:58.231: NHRP: 105 bytes out Tunnel1

*Jan  3 19:26:58.231: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:26:58.915: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:26:58.919: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:26:58.923:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:26:58.927: NHRP: 105 bytes out Tunnel1

*Jan  3 19:26:58.931: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:26:58.935: Tunnel1 count tx, adding 0 encap bytes

*Jan  3 19:26:58.939: NHRP: Resetting retransmit due to hold-timer for 4.4.4.1

*Jan  3 19:27:49.371: NHRP: Setting retrans delay to 64 for nhs  dst 4.4.4.1

*Jan  3 19:27:49.375: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:27:49.379: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:27:49.383:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:27:49.387: NHRP: 105 bytes out Tunnel1

*Jan  3 19:27:49.391: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:27:49.395: Tunnel1 count tx, adding 0 encap bytes

*Jan  3 19:28:53.107: NHRP: Setting retrans delay to 64 for nhs  dst 4.4.4.1

*Jan  3 19:28:53.111: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:28:53.115: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:28:53.119:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:28:53.123: NHRP: 105 bytes out Tunnel1

*Jan  3 19:28:53.127: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:28:53.131: Tunnel1 count tx, adding 0 encap bytes

*Jan  3 19:28:55.031: NHRP: Setting cache expiry for 9.9.9.9 to 5000

*Jan  3 19:29:50.219: NHRP: Setting retrans delay to 64 for nhs  dst 4.4.4.1

*Jan  3 19:29:50.223: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:29:50.227: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:29:50.231:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:29:50.235: NHRP: 105 bytes out Tunnel1

*Jan  3 19:29:50.239: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:29:50.947: NHRP: Attempting to send packet via DEST 4.4.4.1

*Jan  3 19:29:50.951: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77

*Jan  3 19:29:50.955:       src: 4.4.4.2, dst: 4.4.4.1

*Jan  3 19:29:50.959: NHRP: 105 bytes out Tunnel1

*Jan  3 19:29:50.963: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)

*Jan  3 19:29:50.967: Tunnel1 count tx, adding 0 encap bytes

*Jan  3 19:29:50.971: NHRP: Resetting retransmit due to hold-timer for 4.4.4.1

0 Helpful

johnlloyd_13
Level 9
Level 9

‎01-03-2014 09:30 PM

Hi,

Could you amend?

Grocery


HUB:

interface Tunnel1
tunnel source Serial1/0

no ip route 7.7.7.7 255.255.255.255 2.2.2.2
no ip route 8.8.8.8 255.255.255.255 1.1.1.2
ip route 0.0.0.0 0.0.0.0 1.1.1.2


SPOKE:


no crypto isakmp key cisco address 9.9.9.9
crypto isakmp key cisco address 1.1.1.2
no ip route 0.0.0.0 0.0.0.0 Tunnel1
no ip route 9.9.9.9 255.255.255.255 1.1.1.1
ip route 0.0.0.0 0.0.0.0 1.1.1.1


Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents