cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
449
Views
0
Helpful
0
Replies
Boris Simunko
Beginner

Dual hub Phase2 DMVPN issue

Hello!

I have been struggling with a weird issue that just came out of nowhere, everything was working fine until one day it just stopped, and I have not been able to fix it. There have been no (major) config or other changes, I am sure about that because I am the only one with router access.

 

So at my company we have 2 routers (2811 & 3845) that are hubs (among other functions) for a small DMVPN network that is connecting us to a remote partner location. The remote side has a 1841 router. The 3845 is the primary path, 2811 is the backup. I have everything set up for automatic route distribution through SLAs and metric alteration. This part works as expected.

 

Local subnets that need to traverse the tunnel are
192.168.10.0/24
192.168.20.0/24

and the remote subnet is
192.168.168.0/24.

 

The problem is that only the router-sourced traffic is traversing the tunnel correctly. Traffic from the clients in the 192.168.10.0 and 192.168.20.0 gets "stuck" somewhere.

 

-from the router-

 

rt-C3845-r5-015#ping 192.168.168.11 so 192.168.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.11, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

rt-C3845-r5-015#traceroute
Protocol [ip]:
Target IP address: 192.168.168.11 <- IP on the remote router
Source address: 192.168.20.254 <- IP on the local 3845 router
Numeric display [n]: y
Timeout in seconds [3]: 1
Probe count [3]: 1
Minimum Time to Live [1]: 1
Maximum Time to Live [30]: 5
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]: record
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Type escape sequence to abort.
Tracing the route to 192.168.168.11
VRF info: (vrf in name/id, vrf out name/id)
1 10.8.12.34 4 msec <- tunnel IP on the remote router
Received packet has options
Total option bytes= 40, padded length=40
Record route:
(10.8.12.33) <*> <- tunnel IP on the local router
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

 

-from the client-

 

> tracert -d -w 500 192.168.168.11

Tracing route to 192.168.168.11 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.20.3 <- my core switch
2 <1 ms <1 ms <1 ms 10.8.12.23 <- inside IP of the local 3845 router
3 * * * Request timed out.
4 * * * Request timed out.

 

I can confirm that the routing information on my side is correct, as the traceroute output above (from my PC) shows the right path, but it times out.

Another funny thing is that wireshark shows ICMP packets coming from the remote router to my PC and my reply packets that never arrive there. In the other direction, when my PC pings the remote side, only the outgoing packets are seen, no reply...

There is no routing protocol through the tunnel, it's all static on both sides, even though I am running RIPv2 in the network on my side.

Relevant configs:

rt-C3845-r5-015#show run int t0
Building configuration...

Current configuration : 425 bytes
!
interface Tunnel0
ip address 10.8.12.33 255.255.255.248
no ip redirects
ip mtu 1400
ip nhrp authentication )v3hT(-%
ip nhrp map multicast dynamic
ip nhrp map group 1 service-policy output pm_TUNNEL
ip nhrp network-id 666
ip nhrp holdtime 65535
ip nhrp server-only
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source GigabitEthernet0/0.350
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN

ip route 192.168.168.0 255.255.255.0 10.8.12.34 name DMVPN track 1

rt-C2811-r5-006#show run int t0
Building configuration...

Current configuration : 422 bytes
!
interface Tunnel0
ip address 10.8.12.35 255.255.255.248
no ip redirects
ip mtu 1400
ip nhrp authentication )v3hT(-%
ip nhrp map multicast dynamic
ip nhrp map group 1 service-policy output pm_TUNNEL
ip nhrp network-id 666
ip nhrp holdtime 65535
ip nhrp server-only
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source FastEthernet0/1.350
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN

ip route 192.168.168.0 255.255.255.0 10.8.12.34 name DMVPN

INFO#show run int t0
Building configuration...

Current configuration : 511 bytes
!
interface Tunnel0
ip address 10.8.12.34 255.255.255.248
no ip redirects
ip mtu 1400
ip nhrp authentication )v3hT(-%
ip nhrp map 10.8.12.33 <3845 public IP>
ip nhrp map multicast <3845 public IP>
ip nhrp map 10.8.12.35 <2811 public IP>
ip nhrp map multicast <2811 public IP>
ip nhrp network-id 666
ip nhrp holdtime 65535
ip nhrp nhs 10.8.12.33
ip nhrp nhs 10.8.12.35
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN

ip route 192.168.10.0 255.255.255.0 10.8.12.33 name DMVPN track 1
ip route 192.168.20.0 255.255.255.0 10.8.12.33 name DMVPN track 2
ip route 192.168.10.0 255.255.255.0 10.8.12.35 200 name DMVPN_backup
ip route 192.168.20.0 255.255.255.0 10.8.12.35 200 name DMVPN_backup


I will post other config parts as needed...


Does anyone have any ideas? I have hit a wall and do not know what to do anymore, and I have tried A LOT of things....

0 REPLIES 0
Content for Community-Ad