In what is right now a test environment I have dual hub DMVPN routers setup with 4 spokes. One particular spoke was working for a few weeks with dual tunnels to each hub. Now for an unknown reason this spoke is connected to both hubs, but only passes traffic to the primary hub. The hubs are C8810-K9s (v15.4(1r)T1), the trouble spoke is CISCO881-SEC-K9 (v15.4(3)M9). The other working spokes are one IR809 and 2x 891Fs.
Hub | Spoke |
crypto ipsec transform-set T1 esp-aes esp-sha-hmac mode tunnel | crypto ipsec transform-set T1 esp-aes esp-sha-hmac mode tunnel |
| |
crypto ipsec profile protect-gre set security-association lifetime seconds 86400 set transform-set T1 set pfs group2 | crypto ipsec profile protect-gre set security-association lifetime seconds 86400 set transform-set T1 set pfs group2 |
Working with 3 other peers | Working to Hub A |
interface Tunnel1 ip address 10.251.0.1 255.255.255.192 no ip redirects ip nhrp authentication TEST02 ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp holdtime 600 tunnel source 39.xx.xx.37 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre | interface Tunnel1 ip address 10.250.0.3 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication TEST01 ip nhrp map multicast 39.xx.xx.36 ip nhrp map 10.250.0.1 39.xx.xx.36 ip nhrp network-id 1 ip nhrp nhs 10.250.0.1 ip nhrp registration timeout 5 ip tcp adjust-mss 1360 tunnel source FastEthernet4 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared |
| Non working Hub B |
| interface Tunnel2 ip address 10.251.0.3 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication TEST02 ip nhrp map 10.251.0.1 39.xx.xx.37 ip nhrp map multicast 39.xx.xx.37 ip nhrp network-id 2 ip nhrp nhs 10.251.0.1 ip nhrp registration timeout 5 ip tcp adjust-mss 1360 tunnel source FastEthernet4 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared |
| |
On both sides, I have encaps and decaps....
Hub | Spoke |
sh crypto ipsec sa peer 73.xxx.xx.7 interface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr 39.xx.xx.37 protected vrf: (none) local ident (addr/mask/prot/port): (39.xx.xx.37/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (73.xxx.xx.7/255.255.255.255/47/0) current_peer 73.xxx.xx.7 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1523, #pkts encrypt: 1523, #pkts digest: 1523 #pkts decaps: 960, #pkts decrypt: 960, #pkts verify: 960 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 | sh crypto ipsec sa peer 39.xx.xx.37 interface: Tunnel2 Crypto map tag: protect-gre-head-1, local addr 73.xxx.xx.7 protected vrf: (none) local ident (addr/mask/prot/port): (73.xxx.xx.7/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (39.xx.xx.37/255.255.255.255/47/0) current_peer 39.xx.xx.37 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1021, #pkts encrypt: 1021, #pkts digest: 1021 #pkts decaps: 1634, #pkts decrypt: 1634, #pkts verify: 1634 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 |
When I run show dmvpn on both the hub will show as up, but the spoke's state is IKE, though before writing this it was stating nhrp. Crazy thing is this was working. Well it is working with the 3 other spoke routers I have testing. I have experienced this prior where the hub or spoke will have the state as IKE or nhrp, but I could still reach the other end and BGP sessions remained up so I had yet to look further into that situation.
Clearing the crypto or ip nhrp etc, even removing tunnel interface or shutting it down has no effect. Any suggestions on what I should look at next would be appreciated.