01-03-2014 07:08 AM - edited 02-21-2020 07:25 PM
Dears,
I configures DMVPN tunnel but HUB and SPOK refer to the following configration but we can't ping tunnel IP while it is up also crypto session is active can check and guide me to know reason. (Note: I do this LAB on a GNS3)
HUB Cofiguration | SPOK Configuration |
---|---|
! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 3 periodic ! ! crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac mode transport crypto ipsec fragmentation after-encryption ! crypto ipsec profile dmvpn set security-association lifetime seconds 86400 set security-association idle-time 86400 set transform-set dmvpn ! interface Loopback0 ip address 9.9.9.9 255.255.255.255 ! interface Tunnel1 ip address 4.4.4.1 255.255.255.252 no ip redirects ip mtu 1400 ip nhrp authentication 1 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip tcp adjust-mss 1300 tunnel source Loopback0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile dmvpn ! interface Serial1/0 ip address 1.1.1.1 255.255.255.252 serial restart-delay 0 ! | ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 9.9.9.9 crypto isakmp keepalive 10 3 periodic ! ! crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac mode transport crypto ipsec fragmentation after-encryption ! crypto ipsec profile dmvpn set transform-set dmvpn ! interface Loopback0 ip address 8.8.8.8 255.255.255.255 ! interface Tunnel1 ip address 4.4.4.2 255.255.255.252 ip mtu 1400 ip nhrp authentication 1 ip nhrp map multicast 9.9.9.9 ip nhrp map 4.4.4.1 9.9.9.9 ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 4.4.4.1 ip nhrp registration no-unique ip tcp adjust-mss 1300 tunnel source Serial1/0 tunnel destination 9.9.9.9 tunnel key 1 tunnel protection ipsec profile dmvpn ! interface Serial1/0 ip address 1.1.1.2 255.255.255.252 serial restart-delay 0 ! ip route 9.9.9.9 255.255.255.255 1.1.1.1 |
Show command for this issue as the following:
HUB | SPOK |
---|---|
HUB#show crypto session Crypto session current status Interface: Tunnel1 Session status: UP-ACTIVE Peer: 1.1.1.2 port 500 IKE SA: local 9.9.9.9/500 remote 1.1.1.2/500 Active IPSEC FLOW: permit 47 host 9.9.9.9 host 1.1.1.2 Active SAs: 2, origin: crypto map | SPOK1#show crypto session Crypto session current status Interface: Tunnel1 Session status: UP-ACTIVE Peer: 9.9.9.9 port 500 IKE SA: local 1.1.1.2/500 remote 9.9.9.9/500 Active IKE SA: local 1.1.1.2/500 remote 9.9.9.9/500 Inactive IPSEC FLOW: permit 47 host 1.1.1.2 host 9.9.9.9 Active SAs: 2, origin: crypto map |
HUB#show ip nhrp | SPOK1#sh ip nhrp 4.4.4.1/32 via 4.4.4.1, Tunnel1 created 03:46:17, never expire Type: static, Flags: authoritative NBMA address: 9.9.9.9 |
HUB#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down Serial1/0 1.1.1.1 YES manual up up Serial1/1 2.2.2.1 YES manual up down Serial1/2 unassigned YES unset administratively down down Serial1/3 unassigned YES unset administratively down down Serial1/4 unassigned YES unset administratively down down Serial1/5 unassigned YES unset administratively down down Serial1/6 unassigned YES unset administratively down down Serial1/7 unassigned YES unset administratively down down Loopback0 9.9.9.9 YES manual up up Tunnel1 4.4.4.1 YES manual up up HUB#ping 4.4.4.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) HUB#ping 4.4.4.2 so HUB#ping 4.4.4.2 source 4.4.4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.2, timeout is 2 seconds: Packet sent with a source address of 4.4.4.1 ..... Success rate is 0 percent (0/5) | SPOK1#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down Serial1/0 1.1.1.2 YES manual up up Serial1/1 unassigned YES unset administratively down down Serial1/2 unassigned YES unset administratively down down Serial1/3 unassigned YES unset administratively down down Serial1/4 unassigned YES unset administratively down down Serial1/5 unassigned YES unset administratively down down Serial1/6 unassigned YES unset administratively down down Serial1/7 unassigned YES unset administratively down down Loopback0 8.8.8.8 YES manual up up Tunnel1 4.4.4.2 YES manual up up SPOK1#ping 4.4.4.1 source 4.4.4.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.1, timeout is 2 seconds: Packet sent with a source address of 4.4.4.2 ..... Success rate is 0 percent (0/5) SPOK1#ping 9.9.9.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/72 ms |
01-03-2014 07:56 AM
Hi,
Could you post 'show run' from both Hub and Spoke routers and 'debug tunnel' and 'debug nhrp' and do ping tests again.
Make sure you're using a 7200 or 3725 in GNS3. Also, sometimes doing the setup/config again or a PC reboot helps.
Sent from Cisco Technical Support iPhone App
01-03-2014 09:33 AM
Note: I use 7200
HUB configuration:
===============
R1#show running-config
Building configuration...
Current configuration : 1961 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3 periodic
!
!
crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile dmvpn
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set dmvpn
!
!
!
!
!
!
interface Loopback0
ip address 9.9.9.9 255.255.255.255
!
interface Tunnel1
ip address 4.4.4.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip tcp adjust-mss 1300
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/1
ip address 2.2.2.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
!
!
no ip http server
no ip http secure-server
ip route 7.7.7.7 255.255.255.255 2.2.2.2
ip route 8.8.8.8 255.255.255.255 1.1.1.2
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SPOK configuration:
================
R2#show running-config
Building configuration...
*Jan 3 19:24:40.379: NHRP: Setting cache expiry for 9.9.9.9 to 5000
Current configuration : 1908 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 9.9.9.9
crypto isakmp keepalive 10 3 periodic
!
!
crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile dmvpn
set transform-set dmvpn
!
!
!
!
!
!
interface Loopback0
ip address 8.8.8.8 255.255.255.255
!
interface Tunnel1
ip address 4.4.4.2 255.255.255.252
ip mtu 1400
ip nhrp authentication 1
ip nhrp map multicast 9.9.9.9
ip nhrp map 4.4.4.1 9.9.9.9
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 4.4.4.1
ip nhrp registration no-unique
ip tcp adjust-mss 1300
tunnel source Serial1/0
tunnel destination 9.9.9.9
tunnel key 1
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.252
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 9.9.9.9 255.255.255.255 1.1.1.1
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HUB:
====
*Jan 3 19:16:24.155: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:17:17.419: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:18:10.091: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:18:17.327: NHRP: Setting cache expiry for 1.1.1.2 to 1
*Jan 3 19:19:01.019: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:19:58.759: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:20:33.851: NHRP: Setting cache expiry for 1.1.1.2 to 1
*Jan 3 19:21:02.919: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:22:02.967: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:23:02.635: NHRP: Setting cache expiry for 1.1.1.2 to 1
*Jan 3 19:23:06.815: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:24:06.235: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:24:40.203: NHRP: Setting cache expiry for 1.1.1.2 to 1
*Jan 3 19:25:09.619: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:26:02.627: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:26:44.139: NHRP: Setting cache expiry for 1.1.1.2 to 1
*Jan 3 19:26:58.987: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
*Jan 3 19:27:49.395: Tunnel1: GRE/IP to classify 1.1.1.2->9.9.9.9 (tbl=0,"Default" len=105 ttl=253 tos=0xC0)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SPOK:
======
*Jan 3 19:25:08.835: NHRP: Setting retrans delay to 64 for nhs dst 4.4.4.1
*Jan 3 19:25:08.843: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:25:08.843: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:25:08.847: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:25:08.851: NHRP: 105 bytes out Tunnel1
*Jan 3 19:25:08.855: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:25:09.511: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:25:09.515: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:25:09.519: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:25:09.523: NHRP: 105 bytes out Tunnel1
*Jan 3 19:25:09.527: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:25:09.531: Tunnel1 count tx, adding 0 encap bytes
*Jan 3 19:25:09.535: NHRP: Resetting retransmit due to hold-timer for 4.4.4.1
*Jan 3 19:26:02.579: NHRP: Setting retrans delay to 64 for nhs dst 4.4.4.1
*Jan 3 19:26:02.583: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:26:02.587: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:26:02.591: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:26:02.595: NHRP: 105 bytes out Tunnel1
*Jan 3 19:26:02.599: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:26:02.603: Tunnel1 count tx, adding 0 encap bytes
*Jan 3 19:26:44.207: NHRP: Setting cache expiry for 9.9.9.9 to 5000
*Jan 3 19:26:58.211: NHRP: Setting retrans delay to 64 for nhs dst 4.4.4.1
*Jan 3 19:26:58.219: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:26:58.223: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:26:58.227: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:26:58.231: NHRP: 105 bytes out Tunnel1
*Jan 3 19:26:58.231: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:26:58.915: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:26:58.919: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:26:58.923: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:26:58.927: NHRP: 105 bytes out Tunnel1
*Jan 3 19:26:58.931: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:26:58.935: Tunnel1 count tx, adding 0 encap bytes
*Jan 3 19:26:58.939: NHRP: Resetting retransmit due to hold-timer for 4.4.4.1
*Jan 3 19:27:49.371: NHRP: Setting retrans delay to 64 for nhs dst 4.4.4.1
*Jan 3 19:27:49.375: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:27:49.379: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:27:49.383: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:27:49.387: NHRP: 105 bytes out Tunnel1
*Jan 3 19:27:49.391: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:27:49.395: Tunnel1 count tx, adding 0 encap bytes
*Jan 3 19:28:53.107: NHRP: Setting retrans delay to 64 for nhs dst 4.4.4.1
*Jan 3 19:28:53.111: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:28:53.115: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:28:53.119: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:28:53.123: NHRP: 105 bytes out Tunnel1
*Jan 3 19:28:53.127: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:28:53.131: Tunnel1 count tx, adding 0 encap bytes
*Jan 3 19:28:55.031: NHRP: Setting cache expiry for 9.9.9.9 to 5000
*Jan 3 19:29:50.219: NHRP: Setting retrans delay to 64 for nhs dst 4.4.4.1
*Jan 3 19:29:50.223: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:29:50.227: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:29:50.231: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:29:50.235: NHRP: 105 bytes out Tunnel1
*Jan 3 19:29:50.239: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:29:50.947: NHRP: Attempting to send packet via DEST 4.4.4.1
*Jan 3 19:29:50.951: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 77
*Jan 3 19:29:50.955: src: 4.4.4.2, dst: 4.4.4.1
*Jan 3 19:29:50.959: NHRP: 105 bytes out Tunnel1
*Jan 3 19:29:50.963: Tunnel1: GRE/IP encapsulated 1.1.1.2->9.9.9.9 (linktype=74, len=105)
*Jan 3 19:29:50.967: Tunnel1 count tx, adding 0 encap bytes
*Jan 3 19:29:50.971: NHRP: Resetting retransmit due to hold-timer for 4.4.4.1
01-03-2014 09:30 PM
Hi,
Could you amend?
Grocery
HUB:
interface Tunnel1
tunnel source Serial1/0
no ip route 7.7.7.7 255.255.255.255 2.2.2.2
no ip route 8.8.8.8 255.255.255.255 1.1.1.2
ip route 0.0.0.0 0.0.0.0 1.1.1.2
SPOKE:
no crypto isakmp key cisco address 9.9.9.9
crypto isakmp key cisco address 1.1.1.2
no ip route 0.0.0.0 0.0.0.0 Tunnel1
no ip route 9.9.9.9 255.255.255.255 1.1.1.1
ip route 0.0.0.0 0.0.0.0 1.1.1.1
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide