Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
2
Replies

GRE Tunnel is not coming up

durgesh.p
Level 1
Level 1

‎12-03-2015 08:15 PM

Hello,

I am configuring DMVPN with GRE over IPsec. IPSec is coming up but at remote end my tunnel is not coming up.

Please Suggest

Hub_End#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
138.16.176.17   100.40.105.22   QM_IDLE           1072 ACTIVE

Spoke#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
138.16.176.17   100.40.105.22   QM_IDLE          27540 ACTIVE cust1-ik                                                                       

Spoke End Config of Tunnel

interface Tunnel20
 ip vrf forwarding cisadmin
 ip address 10.1.24.14 255.255.255.252
 ip mtu 1400
 ip nhrp authentication NHRP1
 ip nhrp map multicast 138.16.176.17
 ip nhrp map 10.1.24.13 138.16.176.17
 ip nhrp network-id 20
 ip nhrp holdtime 450
 ip nhrp nhs 10.1.24.13
 ip tcp adjust-mss 1360
 ip ospf message-digest-key 1 md5 7 144604271E312C1D37
 ip ospf network broadcast
 ip ospf cost 10
 tunnel source GigabitEthernet0/0/1
 tunnel destination 138.16.176.17
 tunnel key 20
 tunnel vrf internet-vrf
 tunnel protection ipsec profile cust1-ipsec-prof shared

Hub End Config

interface Tunnel20
 ip vrf forwarding cisadmin
 ip address 10.1.24.13 255.255.255.252
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NHRP1
 ip nhrp map multicast dynamic
 ip nhrp network-id 20
 ip nhrp holdtime 30
 ip tcp adjust-mss 1360
 ip ospf message-digest-key 1 md5 7 144604271E312C1D37
 ip ospf network broadcast
 ip ospf cost 10
 tunnel source GigabitEthernet0/0/2
 tunnel mode gre multipoint
 tunnel key 20
 tunnel vrf internet-vrf
 tunnel protection ipsec profile cust1-ipsec-prof shared

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎12-04-2015 12:15 PM

Tunnel interface config looks ok on a quick check. When you say tunnel is not coming up, do you mean that you the line protocol is down or that you are not able to ping between the tunnel interface. A few thinks you can check:

1) Check nhrp mapping on hub (show ip nhrp 10.1.24.14), This should show then NBMA or public ip address of spoke - 100.40.105.22

2) If 1 is successful, then try pinging the hub tunnel ip address from the spoke. You should see stats of packets encaps and decaps from both hub and spoke. You can use this to see where the packets are dropped.

This is a good starting step to see whats going wrong.

0 Helpful

durgesh.p
Level 1
Level 1
In response to Rahul Govindan

‎12-06-2015 12:31 AM

Now I am Able to See Tunnel is UP now and end to end it is pinging

I am configuring second vrf with same config but with IP address change.

I am seeing in the output of <show dmvpn>

both stucks in IKE stage. To make it up is there any thing I need to change .Below is the config of Tunnel

Please note when i am shuting the Tunnel21 that is of vrf campus other is coming up, simutainously both are not coming up and IPSec is Up Packets are Encrypte and descrypted

Hub Side

interface Tunnel20
 ip vrf forwarding cisadmin
 ip address 10.1.24.13 255.255.255.252
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 ip ospf network broadcast
 tunnel source GigabitEthernet0/0/2
 tunnel mode gre multipoint
 tunnel vrf internet-vrf
 tunnel protection ipsec profile cust1-ipsec-prof shared
!
interface Tunnel21
 ip vrf forwarding campus
 ip address 10.1.19.13 255.255.255.252
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp redirect
 ip ospf network broadcast
 shutdown
 tunnel source GigabitEthernet0/0/2
 tunnel mode gre multipoint
 tunnel vrf internet-vrf
 tunnel protection ipsec profile cust1-ipsec-prof shared

Spoke side

interface Tunnel20
 ip vrf forwarding cisadmin
 ip address 10.1.24.14 255.255.255.252
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 10.1.24.13 138.16.176.14
 ip nhrp map multicast 138.16.176.14
 ip nhrp network-id 1
 ip nhrp nhs 10.1.24.13
 ip nhrp shortcut
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
 tunnel vrf internet-vrf
 tunnel protection ipsec profile cust1-ipsec-prof shared
!
interface Tunnel21
 ip vrf forwarding campus
 ip address 10.1.19.14 255.255.255.252
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 10.1.19.13 138.16.176.14
 ip nhrp map multicast 138.16.176.14
 ip nhrp network-id 2
 ip nhrp nhs 10.1.19.13
 ip nhrp shortcut
 ip ospf network broadcast
 ip ospf priority 0
 shutdown
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
 tunnel vrf internet-vrf
 tunnel protection ipsec profile cust1-ipsec-prof shared

0 Helpful
Customers Also Viewed These Support Documents