10-14-2015 04:28 AM - edited 02-21-2020 08:30 PM
I have a working FlexVPN Hub and Spoke Setup and want to add Spoke-to-Spoke Feature.
Sadly the hub doesn't seem to redirect traffic, i.e nhrp is not working correctly. I suspect "NHRP: Rejecting addr type 0" from the debug tells me why this is not working. but i can't find any further information about this debgu message.
When i intiate traffic from one spoke to a subnet behind another spoke ( in the example to 192.168.100/0/24) there is not even an attempt to initiate an crypto session between the spokes. All spoke are configured the same.
NHRP output during tunnel setup from (hub site)
1544366: Oct 14 12:58:55.790 CEST: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
1544367: Oct 14 12:58:56.880 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled
1544370: Oct 14 12:58:56.882 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'GRE over point to point IPV4 tunnel mode' to 'Encapsulating Security Protocol (ESP) over point 2 point IPv4 used by the ipsec client'
1544371: Oct 14 12:58:56.882 CEST: NHRP: Virtual-Access3: NHRP not enabled
1544372: Oct 14 12:58:56.889 CEST: NHRP: Rejecting addr type 0
1544373: Oct 14 12:58:56.889 CEST: NHRP: Adding all static maps to cache
1544374: Oct 14 12:58:56.889 CEST: NHRP: NHRP Redirect Feature PI-code Initialized
1544375: Oct 14 12:58:56.889 CEST: NHRP: Redirect Feature Initialized - Attempting Platform Init
1544376: Oct 14 12:58:56.890 CEST: NHRP: Rejecting addr type 0
1544377: Oct 14 12:58:56.890 CEST: NHRP: Rejecting addr type 0
1544378: Oct 14 12:58:56.896 CEST: %IKEV2-5-SA_UP: SA UP
1544379: Oct 14 12:58:56.896 CEST: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP. Peer <SPOKE-PUBLIC-IP>:500 f_vrf: <HUB-EXTERNAL-VRF> i_vrf: <HUB-EXTERNAL-VRF> Id: <SPOKE-FQDN>
1544380: Oct 14 12:58:56.904 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
1544381: Oct 14 12:58:56.905 CEST: NHRP: if_up: Virtual-Access3 proto 'NHRP_IPv4'
1544382: Oct 14 12:58:56.906 CEST: NHRP: Rejecting addr type 0
1544383: Oct 14 12:58:56.906 CEST: NHRP: Adding all static maps to cache
1544384: Oct 14 12:58:56.906 CEST: NHRP: Unable to send Registration - no NHSes configured
1544385: Oct 14 12:58:57.905 CEST: NHRP: Unable to send Registration - no NHSes configured
NHRP debug output tunnel setup client site:
.Oct 14 12:58:55.827: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXCLIENT) Client_public_addr = <SPOKE-PUBLIC-IP> Server_public_addr = <HUB-PUBLIC-IP>
.Oct 14 12:58:57.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
.Oct 14 12:58:57.071: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
.Oct 14 12:58:57.071: NHRP: Rejecting addr type 0
.Oct 14 12:58:57.071: NHRP: Adding all static maps to cache
.Oct 14 12:58:57.071: NHRP: Unable to send Registration - no NHSes configured
.Oct 14 12:58:57.079: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXCLIENT) Client_public_addr = <SPOKE-PUBLIC-IP> Server_public_addr = <HUB-PUBLIC-IP> Assigned_Tunnel_v4_addr = 10.255.176.15
.Oct 14 12:58:58.071: NHRP: Unable to send Registration - no NHSes configured
Relevant Hub config
crypto ikev2 profile EXTERN-IKEV2-PROFILE
match fvrf <HUB-EXTERNAL-VRF>
match identity remote fqdn domain <CUSTOMER-DOMAIN>
identity local fqdn <HUB-FQDN>
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 10 2 periodic
aaa authorization group cert list RADIUS-AUTHORISATION name-mangler GET-FULL-HOST
virtual-template 10
crypto ipsec profile FLEXVPN-EXT-IPSEC-PROF
set ikev2-profile EXTERN-IKEV2-PROFILE
sho derived-config interface virtual-access 3
interface Virtual-Access3
description Tunnel Template fuer VRF <HUB-EXTERNAL-VRF>
vrf forwarding <HUB-INTERNAL-VRF>
ip address 10.255.176.14 255.255.255.254
ip nhrp network-id 5
ip nhrp redirect
tunnel source <HUB-PUBLIC-IP>
tunnel mode ipsec ipv4
tunnel destination <SPOKE-PUBLIC-IP>
tunnel path-mtu-discovery
tunnel vrf <HUB-EXTERNAL-VRF>
tunnel protection ipsec profile FLEXVPN-EXT-IPSEC-PROF
no tunnel protection ipsec initiate
end
relevant spoke config
interface Virtual-Template10 type tunnel
ip unnumbered Tunnel0
ip nhrp network-id 5
ip nhrp shortcut virtual-template 10
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEXCLIENT-IPSEC-PROFILE
crypto ikev2 profile FLEXCLIENT-PROFILE
match identity remote fqdn <HUB-FQDN>
match identity remote fqdn domain <CUSTOMER-DOMAIN>
identity local fqdn <SPOKE-FQDN>
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 10 2 periodic
aaa authorization group cert list Flex FlexClient-Author
virtual-template 10
crypto ipsec profile FLEXCLIENT-IPSEC-PROFILE
set ikev2-profile FLEXCLIENT-PROFILE
interface Tunnel0
description [Tunnel to FlexHub]
ip address negotiated
ip nhrp network-id 5
ip nhrp shortcut virtual-template 10
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile FLEXCLIENT-IPSEC-PROFILE
end
working Tunnel on hub site:
Tunnel-id Local Remote fvrf/ivrf Status
1 <HUB-PUBLIC-IP>/500 <SPOKE-PUBLIC-IP>/500 <HUB-EXTERNAL-VRF> READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/555 sec
CE id: 18901, Session-id: 2086
Status Description: Negotiation done
Local spi: D13309864C08DB0E Remote spi: 2098208B89845A8E
Local id: <HUB-FQDN>
Remote id: <SPOKE-FQDN>
Local req msg id: 55 Remote req msg id: 58
Local next msg id: 55 Remote next msg id: 58
Local req queued: 55 Remote req queued: 58
Local window: 5 Remote window: 5
DPD configured for 10 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Assigned host addr: 10.255.176.15
Initiator of SA : No
Remote subnets:
10.255.176.15 255.255.255.255
10.255.18.44 255.255.255.255
192.168.100.0 255.255.255.0
working tunnel on spoke side:
Tunnel-id Local Remote fvrf/ivrf Status
1 <SPOKE-PUBLIC-IP>/500 <HUB-PUBLIC-IP>/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/529 sec
CE id: 2029, Session-id: 20
Status Description: Negotiation done
Local spi: 2098208B89845A8E Remote spi: D13309864C08DB0E
Local id: <SPOKE-FQDN>
Remote id: <HUB-FQDN>
Local req msg id: 55 Remote req msg id: 52
Local next msg id: 55 Remote next msg id: 52
Local req queued: 55 Remote req queued: 52
Local window: 5 Remote window: 5
DPD configured for 10 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Pushed IP address: 10.255.176.15
Remote subnets:
10.255.176.14 255.255.255.255
0.0.0.0 0.0.0.0
As stated before - the flexVPn and crypto setup works fine - except for the nhrp redirect feature. Any help with this would be appreciated.
Solved! Go to Solution.
10-14-2015 06:53 AM
tunnel mode ipsec ipv4 <--- NHRP in IP world, may not work ... Try with GRE?
1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled
interface Virtual-Template10 type tunnel
ip unnumbered Tunnel0 <--- why tunnel 0 and not the LAN
VRF configuration?
10-14-2015 06:53 AM
tunnel mode ipsec ipv4 <--- NHRP in IP world, may not work ... Try with GRE?
1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled
interface Virtual-Template10 type tunnel
ip unnumbered Tunnel0 <--- why tunnel 0 and not the LAN
VRF configuration?
10-14-2015 07:23 AM
Thanks
no tunnel mode ipsec ipv4
was all the setup needed!
07-29-2016 05:23 AM
Perfect Answer. I was facing the same issue.
09-16-2016 06:21 AM
I suspect that Flex Spoke-to-Spoke tunnels does not work with ipv4 mode and only supports gre mode.
09-16-2016 06:54 AM
NHRP is L2 protocol, VTI is a L3 encapsulation. So yes, you do need GRE (default).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: