DMVPN w/ 2 spokes hub not allowing connections to lan

Marley Brown · ‎06-15-2011

Hi,

I am looking for some help with the following:

I have a 2 spoke DMVPN scenario. My problems are:

•1. If I restart the hub the tunnels don’t come up unless I shut/no shut the tunnels at the spokes
•2. When the tunnels come up I am not able to access the hub’s LAN interface, I have to restart the hub several times to make it come up. Also the hub does not advertise routes it only receives them(until I do number one about 3 times). In this state I can communicate between spokes but not to the hub(one i get the hub to advertise the routes I can access the LAN interface). When I can't get in the LAN via DMVPM tunnels I can't get in via EZVPN either. I am using telnet as test protocol.

All the routers are 1811’s with ezvpn server configured. Here are the configs. the spokes are same config all routers are brand new.

Hub:

crypto keyring ccp-dmvpn-keyring

pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXX

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group magellanvpn

key magellan01x

pool SDM_POOL_1

acl 100

crypto isakmp profile ciscocp-ike-profile-1

match identity group magellanvpn

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

crypto isakmp profile ccp-dmvpn-isakmprofile

keyring ccp-dmvpn-keyring

match identity address 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode transport

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

crypto ipsec profile CiscoCP_Profile2

set transform-set ESP-3DES-SHA1

set isakmp-profile ccp-dmvpn-isakmprofile

archive

log config

hidekeys

interface Tunnel0

bandwidth 1000

ip address 11.11.11.5 255.255.255.0

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map 11.11.11.1 173.12.141.85

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 11.11.11.1

ip tcp adjust-mss 1360

delay 1000

tunnel source FastEthernet0

tunnel destination X.X.X.X

tunnel key 100000

tunnel protection ipsec profile CiscoCP_Profile2

!

interface FastEthernet0

ip address X.X.X.X 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

Thank you for any help in advance,

Marley

Marcin Latosiewicz · ‎06-15-2011

Marley,

I stronly suggest you remove any public IP information you have configured from forums (it also helps to use "quote" feature when posting configurations).

Regarding problem number 1. You're mising isakmp keepalives configured.

crypto isakmp keep 30 5

on both hub and spoke should be a decent way to start.

If you're not seeing routes from hub advertised to spokes, well you need to check/share your routing configuration.

It looks like you're using phase 2 design and EIGRP, in which case you might want to revistit configuraiton guide (or you're running software version which has some other defaults).

Marcin

Marley Brown · ‎06-16-2011

Marcin,

Thank you for your suggestions, I have corrected (I think) the public IP and I will implement the keep alive. As far as the hub when I restart it I can’t even get in thru a vpn client, is like it does not create a route for the vpn tunnel. After a couple restarts I can get in.

Any other help would be greatly appreciated, let me know what more you want posted.

Thank you,

Marley

Marcin Latosiewicz · ‎06-16-2011

Marley,

The second part could be potentially a bug (I don't see any good explanation from my brief look at configuration).

That being said I would say best way to proceed would be to upgrade to latest revision of your current software (what is your version right now?).

If that does not work best open a TAC case, as it will most likely need a deeper look.

Marcin