11-02-2010 01:49 AM - edited 02-21-2020 04:56 PM
When I log into my branch router I can see that only 1 tunnel is working , when i do sh crypto sessions , it says NO IKE in status . Then I need to issue "clear crypto isakmp" and "clear crypto session" . And then everything becomes normal .
Below is the revelent configuration of Both offices and they are connected though Point to multipoint links
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set MINE esp-3des esp-md5-hmac
crypto ipsec profile DMVPN
set security-association lifetime seconds 36000
set transform-set MINE
set pfs group2
set isakmp-profile DMVPN
interface Tunnel0
description XXXXXX
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip virtual-reassembly
tunnel source 172.19.7.102
tunnel mode gre multipoint
tunnel key 999
tunnel protection ipsec profile DMVPN
interface Tunnel2
description DMVPN over XXXXXX
ip address 192.168.20.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication ciscoc
ip nhrp map multicast dynamic
ip nhrp network-id 2999
ip virtual-reassembly
tunnel source 172.19.20.106
tunnel mode gre multipoint
tunnel key 9999
tunnel protection ipsec profile DMVPN
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
no crypto isakmp ccm
!
!
crypto ipsec transform-set MINE esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
set security-association lifetime seconds 36000
set transform-set MINE
set pfs group2
interface Tunnel0
description xxxxxxxxx
ip address 192.168.1.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.19.7.102
ip nhrp map multicast 172.19.7.102
ip nhrp network-id 99
ip nhrp nhs 192.168.1.1
tunnel source 172.19.7.110
tunnel destination 172.19.7.102
tunnel key 999
tunnel protection ipsec profile DMVPN
interface Tunnel2
ip address 192.168.20.10 255.255.255.0
no ip redirects
ip mtu 1360
ip nhrp authentication ciscoc
ip nhrp map 192.168.20.1 172.19.20.106
ip nhrp map multicast 172.19.20.106
ip nhrp network-id 2999
ip nhrp nhs 192.168.20.1
tunnel source 172.19.7.110
tunnel destination 172.19.20.106
tunnel key 9999
tunnel protection ipsec profile DMVPN
11-02-2010 05:52 AM
Do you have a syslog server in your network?
Could be helpful if you put some logs.
11-02-2010 06:00 AM
no buddy , no syslog server :S
11-02-2010 06:11 AM
You can execute this debug command in both devices and paste the result.
debug crypto isakmp 127
11-10-2010 03:46 AM
I did some debugs and got the following errors on the branch router , the subnet 192.168.10.x is the one I am having problem with
*Nov 28 15:27:37.978: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_negotiating since it's already 0.
*Nov 28 15:27:37.990: ISAKMP: Trying to decrement ipsec count below 0
*Nov 28 15:27:38.230: ISAKMP: Trying to decrement ipsec count below 0
*Nov 28 15:27:43.390: map_db_find_best did not find matching map
*Nov 28 15:27:43.706: map_db_find_best did not find matching map
*Nov 28 15:27:58.162: IPSEC(decapsulate): error in decapsulation crypto_ipsec_les_fs
RTR#
RTR#
*Nov 28 15:28:58.190: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:28:58.194: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820
*Nov 28 15:29:23.418: ISAKMP:(0:81:HW:2):SA is still budding. Attached new ipsec request to it. (local BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:29:53.418: ISAKMP:(0:81:HW:2):SA is still budding. Attached new ipsec request to it. (local 1BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:29:58.218: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:30:00.506: ISAKMP:(0:81:HW:2): Phase 1 negotiation failed with DPD active; deleting IKE/IPSec SAs
*Nov 28 15:30:00.506: ISAKMP:(0:81:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
*Nov 28 15:30:00.506: ISAKMP:(0:81:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
RTR#
*Nov 28 15:30:51.762: ISAKMP:(0:83:HW:2): starving for SPIs...
*Nov 28 15:30:58.242: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:31:58.266: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:32:58.290: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:33:12.946: ISAKMP:(0:89:HW:2):SA is still budding. Attached new ipsec request to it. (local BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:33:42.946: ISAKMP:(0:89:HW:2):SA is still budding. Attached new ipsec request to it. (local BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:33:49.002: ISAKMP:(0:89:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
*Nov 28 15:33:49.002: ISAKMP:(0:89:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
acenc
RTR#sh crypto session
Interface: Tunnel1
Session status: UP-NO-IKE
Peer: 137.101.12.162 port 500
IKE SA: local BRANCH_IP/500 remote HEADOFFICE_IP/500 Inactive
IKE SA: local BRANCH_IP/500 remote HEADOFFICE_IP/500 Inactive
IKE SA: local BRANCH_IP/500 remote HEADOFFICE_IP/500 Inactive
IPSEC FLOW: permit 47 host BRANCH_IP/ host HEADOFFICE_IP
Active SAs: 4, origin: crypto map
and sometimes the Session status is Down Negotiating
Is there some blockage from ISP end ?
11-10-2010 04:24 AM
Try sharing the ipsec profile since the profile is being used by multiple tunnels.
"tunnel protection ipsec profile DMVPN shared"
Dan
11-10-2010 04:30 AM
to be clear I removed the tunnel protection and now I am runinng DMVPN over internet ( without IPSec ) .. still cant get the eigrp to work , and when i did debug nhrp i get these . 10.9 is branch , and 10.1 is headoffice . this is branch result
*Nov 28 16:19:00.866: NHRP: Setting retrans delay to 8 for nhs dst 192.168.10.1
*Nov 28 16:19:00.866: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:00.866: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:00.866: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:19:00.866: NHRP: 84 bytes out Tunnel1 int tu
% Incomplete command.
RTR(config)#
*Nov 28 16:19:08.742: NHRP: Setting retrans delay to 16 for nhs dst 192.168.10.1
*Nov 28 16:19:08.742: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:08.742: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:08.742: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:19:08.742: NHRP: 84 bytes out Tunnel1
*Nov 28 16:19:23.222: NHRP: Setting retrans delay to 32 for nhs dst 192.168.10.1
*Nov 28 16:19:23.222: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:23.222: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:23.222: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:19:23.222: NHRP: 84 bytes out Tunnel1
*Nov 28 16:19:49.146: NHRP: Setting retrans delay to 64 for nhs dst 192.168.10.1
*Nov 28 16:19:49.146: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:49.146: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:49.146: src: 192.168.10.9, dst: 192.168.10.1
I did tunnel shut and then no shut and did some eigrp , nhrp debugs again
Nov 28 16:34:19.190: NHRP: if_up: Tunnel1 proto 0
*Nov 28 16:34:19.190: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:19.190: NHRP: Cannot route packet for target 192.168.10.1
*Nov 28 16:34:19.190: NHRP: if_up: Tunnel1 proto 0
*Nov 28 16:34:19.190: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:19.194: NHRP: Cannot route packet for target 192.168.10.1
*Nov 28 16:34:19.194: NHRP: Resetting retransmit due to hold-timer for 192.168.10.1
*Nov 28 16:34:20.078: NHRP: Setting retrans delay to 2 for nhs dst 192.168.10.1
*Nov 28 16:34:20.078: NHRP: Attempting to send packet via DEST 192.168.10.1
ig)#
*Nov 28 16:34:20.078: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:20.078: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:20.078: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:21.186: %LINK-3-UPDOWN: Interface Tunnel1, changed state to up
*Nov 28 16:34:21.886: NHRP: Setting retrans delay to 4 for nhs dst 192.168.10.1
*Nov 28 16:34:21.886: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:21.886: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:21.886: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:21.886: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:22.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Nov 28 16:34:25.818: NHRP: Setting retrans delay to 8 for nhs dst 192.168.10.1
*Nov 28 16:34:25.818: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:25.818: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:25.818: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:25.818: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:32.914: NHRP: Setting retrans delay to 16 for nhs dst 192.168.10.1
*Nov 28 16:34:32.914: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:32.914: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:32.914: src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:32.914: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:45.246: NHRP: Setting retrans delay to 32 for nhs dst 192.168.10.1
*Nov 28 16:34:45.246: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:45.246: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:45.246: src: 192.168.10.9, dst: 192.168.10.1
I can ping the physical ip of headoffice and headoffice can ping branch . but dmvpn doesnt seems to work on this link
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide