12-17-2020 02:34 PM
Dears sir
kindly ,we have issue strange in dmvpn with ISR4321/K9 describes as below software version
spoke (ISR4321/K9)
-----------------------
Cisco IOS XE Software, Version 16.09.02
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.2, RELEASE SOFTWARE (fc4)
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
GPL code under the terms of GPL Version 2.0. For more details,
i need to activate DMVPN phase 3 after configure ip nhrp shortcut in spoke router under tunnel it accept it but when we do
sh run int tunnel x we missing command & when send direct spoke -spoke traffic after enable summarization in hub under eigrp
we missing also nhrp route in spoke indicate dmvpn phase 3 working
note :
ip nhrp redirect is exist in show interface tunnnel x in hub router & by the way we use following ASR
hub router (ASR1001-X )
-------------------
ASR-MOI-HQ1#sh version | in Version
Cisco IOS XE Software, Version 16.09.02
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.2, RELEASE SOFTWARE (fc4)
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
GPL code under the terms of GPL Version 2.0. For more details, see the
Solved! Go to Solution.
12-20-2020 08:14 AM - edited 12-20-2020 08:50 AM
here
green orange can summary to 10.0.0./16 "or high superNet"
each spoke tunnel destination must reachable from other spoke, can do that by
ip route 0.0.0.0 0.0.0.0 ISPinterface
that it check this.
12-17-2020 02:43 PM - edited 12-17-2020 02:51 PM
Hi @saif
I think that command is enabled as default in newer OS (perhaps there is a difference between 16.9 on ISR and ASE), I don't have an image to check but if you run "show run all" you should be able to determine whether it's actually enabled on the tunnel interface.
HTH
12-17-2020 02:57 PM
12-17-2020 03:06 PM
Did you confirm the command exists when you run "show run all" if it does then that would indicate potentially another issue with your configuration.
Are the IPSec SA's established?
Is an EIGRP adjacency formed?
Provide the output of the configuration of your hub and spoke for review.
12-17-2020 05:24 PM - edited 12-17-2020 05:43 PM
dear sir
kindly , find answer to your question ( thanks for your patient & feedback) & in last show command
you can find that no direct spoke to spoke traffic ( traffic always go to hub
note :
ip nhrp map multicast dynamic & ip nhrp shortcut is exist under tunnel as you say in show run configuration all
hub
interface Tunnel254
description Hub-Main-Passports
ip address 192.168.100.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxxx
ip nhrp network-id 1
ip nhrp holdtime 50
ip nhrp bfd notify transport never
ip nhrp bfd notify services never
ip nhrp redirect
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
ip tcp adjust-mss 1360
delay 100
nhrp map group SHAPE-8M service-policy output SHAPE-8M
nhrp map group SHAPE-4M service-policy output SHAPE-4M
bfd template sample
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile PASSPORTS-PROF
end
spoke 1
interface Tunnel1
ip address 192.168.100.229 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxx
ip nhrp map multicast 172.29.100.254
ip nhrp map 192.168.100.254 172.29.100.254
ip nhrp map multicast 172.29.100.253
ip nhrp map 192.168.100.253 172.29.100.253
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.100.254
ip nhrp nhs 192.168.100.253
ip tcp adjust-mss 1360
nhrp group SHAPE-8M
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile xxxxx
end
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key pa$$herDkeY address 0.0.0.0
crypto ipsec transform-set xxxxx esp-aes esp-sha256-hmac
mode transport
crypto ipsec profile xxxxx
set transform-set xxxxx
router eigrp 100
network 10.129.2.0 0.0.0.255
network 10.129.3.32 0.0.0.31
network 10.129.3.64 0.0.0.31
network 192.168.100.0
===================================================================
spoke 2
interface Tunnel1
ip address 192.168.100.57 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxx
ip nhrp map multicast 172.29.100.254
ip nhrp map 192.168.100.254 172.29.100.254
ip nhrp map multicast 172.29.100.253
ip nhrp map 192.168.100.253 172.29.100.253
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.100.254
ip nhrp nhs 192.168.100.253
ip tcp adjust-mss 1360
nhrp group SHAPE-8M
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile xxxx
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key pa$$herDkeY address 0.0.0.0
crypto ipsec transform-set xxxxx esp-aes esp-sha256-hmac
mode transport
crypto ipsec profile
set transform-set xxxxx
router eigrp 100
network 10.57.2.0 0.0.0.255
network 10.57.3.32 0.0.0.31
network 10.57.3.64 0.0.0.31
network 100.100.100.57 0.0.0.0
network 192.168.100.0
----------------------------------------
sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 192.168.100.254 to network 0.0.0.0
D* 0.0.0.0/0 [90/27008000] via 192.168.100.254, 00:02:29, Tunnel1
100.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 100.100.100.253/32
[90/27008000] via 192.168.100.253, 01:13:53, Tunnel1
spoke 2
--------------------------------------------------------------------------
sh ip eigrp nei
sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.100.254 Tu1 12 00:02:36 949 5000 0 6846
0 192.168.100.253 Tu1 12 01:14:01 167 1398 0 25858
ping 10.129.2.1 so 10.57.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.129.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.57.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 177/185/196 ms
tre
tr
traceroute 10.129.2.1 so 10.57.2.1
Type escape sequence to abort.
Tracing the route to 10.129.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.100.254 168 msec 167 msec 168 msec
2 192.168.100.229 181 msec 180 msec *
sh ip nhrp dynamic
192.168.100.11/32 via 192.168.100.11
Tunnel1 created 00:07:15, expire 00:00:50
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 172.29.100.11
(no-socket)
192.168.100.14/32 via 192.168.100.14
Tunnel1 created 00:06:15, expire 00:00:50
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 172.29.100.14
(no-socket)
192.168.100.22/32 via 192.168.100.22
Tunnel1 created 00:08:34, expire 00:00:31
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 172.29.100.22
(no-socket)
192.168.100.133/32 via 192.168.100.133
Tunnel1 created 00:06:28, expire 00:00:37
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 172.29.100.133
(no-socket)
ARB-2-R-NEW#
ARB-2-R-NEW#
ARB-2-R-NEW#sh cry
ARB-2-R-NEW#sh crypto is
ARB-2-R-NEW#sh crypto isakmp sa
ARB-2-R-NEW#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.29.100.11 172.29.100.57 MM_NO_STATE 0 ACTIVE
172.29.100.14 172.29.100.57 MM_NO_STATE 0 ACTIVE (deleted)
172.29.100.133 172.29.100.57 MM_NO_STATE 0 ACTIVE (deleted)
172.29.100.22 172.29.100.57 MM_NO_STATE 0 ACTIVE (deleted)
172.29.100.253 172.29.100.57 QM_IDLE 1104 ACTIVE
172.29.100.254 172.29.100.57 QM_IDLE 1116 ACTIVE
12-17-2020 08:13 PM
Ip nhrp map multicast dynamic
is missing from hub config
12-19-2020 05:55 AM
dear
kindly, Ip nhrp map multicast dynamic exist but hidden you cans see it when do show run all but not working
interface Tunnel254
description Hub-Main-Passports
ip address 192.168.100.254 255.255.255.0
no ip redirects
ip unreachables
ip proxy-arp
ip mtu 1400
ip pim join-prune-interval 60
ip pim dr-priority 1
ip pim query-interval 30
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip nhrp authentication PaSS_tun
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp record
ip nhrp max-send 10000 every 10
ip nhrp bfd notify transport never
ip nhrp bfd notify services never
ip nhrp multicast batch-size 250 batch-interval 10
ip nhrp use 1
ip nhrp send-routed
ip nhrp registration no-unique
ip nhrp registration timeout 200
ip nhrp cache non-authoritative
ip nhrp shortcut
ip nhrp redirect timeout 8
ip nhrp path preference 255
no ip flowspec
ip cef accounting non-recursive internal
ip load-sharing per-destination
ip route-cache cef
ip route-cache
ip split-horizon
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
ip tcp adjust-mss 1360
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp v3-query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
load-interval 300
carrier-delay 2
delay 100
no shutdown
ipv6 nd reachable-time 0
ipv6 nd ns-interval 0
ipv6 nd dad loopback detect
ipv6 nd prefix framed-ipv6-prefix
ipv6 nd nud igp
no ipv6 nd ra solicited unicast
ipv6 nd ra lifetime 1800
ipv6 nd ra interval 200
ipv6 tcp adjust-mss 0
ipv6 mfib forwarding input
ipv6 mfib forwarding output
ipv6 mfib cef input
ipv6 mfib cef output
ipv6 nhrp map multicast dynamic
ipv6 nhrp holdtime 600
ipv6 nhrp record
ipv6 nhrp max-send 10000 every 10
ipv6 nhrp bfd notify transport 6
ipv6 nhrp bfd notify services 0
ipv6 nhrp multicast batch-size 250 batch-interval 10
ipv6 nhrp use 1
ipv6 nhrp send-routed
ipv6 nhrp registration no-unique
ipv6 nhrp registration timeout 200
ipv6 nhrp cache non-authoritative
ipv6 nhrp shortcut
ipv6 nhrp path preference 255
no ipv6 flowspec
ipv6 redirects
ipv6 unreachables
snmp trap link-status
mpls mtu max
mpls mldp
nhrp map group SHAPE-8M service-policy output SHAPE-8M
nhrp map group SHAPE-4M service-policy output SHAPE-4M
nhrp route-watch
no flowspec group
autonomic
bfd template sample
no arp arpa
arp timeout 0
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel ttl 255
tunnel bandwidth transmit 8000
tunnel bandwidth receive 8000
tunnel protection ipsec profile PASSPORTS-PROF
clns route-cache
spanning-tree port-priority 128
spanning-tree cost 0
no h323-gateway voip interface
hold-queue 375 in
hold-queue 0 out
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
12-19-2020 07:19 AM
is this config for hub?
why hub config with shortcut it must be redirect!!
12-19-2020 10:13 AM
dear mhm
its is not effect however i removed , it keep only ip redirect in hub only with same problem traffic travel to hub then spoke
no direct spoke to spoke traffic..
12-19-2020 03:49 PM
phase 3 how it work,
the hub receive the data from spoke1 to spoke 2,
it send redirect to spoke1 and spoke 2
spoke1 send resolution.
here the key point is Spoke1 NBMA know from Spoke2 NBMA and vice versa.
here the NBMA also know via tunnel !! why because the summary 0.0.0.0 in tunnel of hub.
so all traffic is go through the Hub,
solution is use VRF or use default route toward your ISP router and use other than summary 0.0.0.0 in tunnel.
12-20-2020 06:22 AM
dear Mhm
kindly ,tunnel mode is multipoint gre
& since we write ip nhrp redirect in hub , hub is send redirect message contain shortest path to Network of other spoke which override summary address exist in spoke , this is reason why write ip nhrp shortcut in spoke to make spoke rerwrite routing table & install shortcuts nhrp routes
& when do show ip routes nhrp in one spoke for network of other spoke you must see nhrp route with AD = 250 & no longer see default routes this what nhrp shortcut do & don’t see in
my senario
Your explanation is misunderstanding dmvpn phase 3 behavior
12-20-2020 06:42 AM
Dear
hub redirect message with this info is send to spoke 1
nbma ip:
source: destination:
spoke1 use this info to directly connect spoke2
now
on in your routing table of spoke1 are spoke2 “tunnel source “ is reachable ?
are it reachable via tunnel toward hub “ and here come summary 0.0.0.0 issue”?
in order to spoke1 to connect directly to spoke2 tunnel source must pingable between each other otherwise the direct will not happened
12-20-2020 06:54 AM - edited 12-20-2020 06:58 AM
@saif Add no ip split-horizon eigrp 100 to the hub router's tunnel interface. From one spoke router ping the other spoke, then check the routing table show ip route nhrp - you should now have an NHRP route direct to the other spoke (not via hub). The first packet(s) would go via hub.
This dynamic NHRP route would override the default summary route you've configured on the hub in order to send direct spoke-to-spoke.
12-20-2020 08:03 AM
dear sir
kindly, find below result ,unfortunately it is not work see below picture hub & spoke ping & config
12-20-2020 08:38 AM
Turn on isakmp and nhrp debugs on when you perform the test. For all you know it's failing to establish the tunnel.
If using PSK, do the spokes have the PSK for each other?
Provide the output of "show dmvpn" and "show crypto ipsec sa" from both spokes after you've run a test.
Provide your full configuration of the hubs and spokes, please attach as separate text files.
Provide the routing table of each router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide