In what is right now a test environment I have dual hub DMVPN routers setup with 4 spokes. One particular spoke was working for a few weeks with dual tunnels to each hub. Now for an unknown reason this spoke is connected to both hubs, but only passes traffic to the primary hub. The hubs are C8810-K9s (v15.4(1r)T1), the trouble spoke is CISCO881-SEC-K9 (v15.4(3)M9). The other working spokes are one IR809 and 2x 891Fs.
| Hub | Spoke |
crypto ipsec transform-set T1 esp-aes esp-sha-hmac mode tunnel | crypto ipsec transform-set T1 esp-aes esp-sha-hmac mode tunnel |
| | |
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set T1
set pfs group2 | crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set T1
set pfs group2 |
| Working with 3 other peers | Working to Hub A |
interface Tunnel1
ip address 10.251.0.1 255.255.255.192
no ip redirects
ip nhrp authentication TEST02
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
tunnel source 39.xx.xx.37
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre | interface Tunnel1
ip address 10.250.0.3 255.255.255.192
no ip redirects
ip mtu 1400
ip nhrp authentication TEST01
ip nhrp map multicast 39.xx.xx.36
ip nhrp map 10.250.0.1 39.xx.xx.36
ip nhrp network-id 1
ip nhrp nhs 10.250.0.1
ip nhrp registration timeout 5
ip tcp adjust-mss 1360
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre shared |
| | Non working Hub B |
| | interface Tunnel2
ip address 10.251.0.3 255.255.255.192
no ip redirects
ip mtu 1400
ip nhrp authentication TEST02
ip nhrp map 10.251.0.1 39.xx.xx.37
ip nhrp map multicast 39.xx.xx.37
ip nhrp network-id 2
ip nhrp nhs 10.251.0.1
ip nhrp registration timeout 5
ip tcp adjust-mss 1360
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre shared |
| | |
On both sides, I have encaps and decaps....
| Hub | Spoke |
sh crypto ipsec sa peer 73.xxx.xx.7 interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 39.xx.xx.37 protected vrf: (none)
local ident (addr/mask/prot/port): (39.xx.xx.37/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (73.xxx.xx.7/255.255.255.255/47/0)
current_peer 73.xxx.xx.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1523, #pkts encrypt: 1523, #pkts digest: 1523
#pkts decaps: 960, #pkts decrypt: 960, #pkts verify: 960
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0 | sh crypto ipsec sa peer 39.xx.xx.37 interface: Tunnel2
Crypto map tag: protect-gre-head-1, local addr 73.xxx.xx.7 protected vrf: (none)
local ident (addr/mask/prot/port): (73.xxx.xx.7/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (39.xx.xx.37/255.255.255.255/47/0)
current_peer 39.xx.xx.37 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1021, #pkts encrypt: 1021, #pkts digest: 1021
#pkts decaps: 1634, #pkts decrypt: 1634, #pkts verify: 1634
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0 |
When I run show dmvpn on both the hub will show as up, but the spoke's state is IKE, though before writing this it was stating nhrp. Crazy thing is this was working. Well it is working with the 3 other spoke routers I have testing. I have experienced this prior where the hub or spoke will have the state as IKE or nhrp, but I could still reach the other end and BGP sessions remained up so I had yet to look further into that situation.
Clearing the crypto or ip nhrp etc, even removing tunnel interface or shutting it down has no effect. Any suggestions on what I should look at next would be appreciated.
