the interface tunnels ip up in the mapping, the problem is that only one mapping of NHRP is up of the one spoke, when turn down this interface tunnel in the hub for this sopke, the other spoke goes up at the mapping nhrp and eigrp..

I check that in the phase 2 ipsec the encryption is one-way direcction in one vpn when the two interfaces tunnel is UP

thanks

Hi Acruzgreq,

i do have the same Issue like you. On an Cisco C886VA-W-E-K9 the configuration is working without any problems. But not an ASR 1001 and ASR 1002. Do you get any response from TAC so far?

regards Ed

Hi Eberhard,

can you attach the configuration that is  testing?

thanks

Hi Acruzqreg,

the config below is the one which is working on an 886 and not on the ASR (same config even the ip addresses).

ip vrf blue

rd 6207:20

!

ip vrf red

rd 6207:10

!

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 30

authentication pre-share

crypto isakmp key XX address 19.24.132.14

crypto isakmp key XX address 19.24.132.14

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 60 5

!

!

crypto ipsec transform-set red esp-null esp-sha-hmac

mode tunnel

crypto ipsec transform-set blue esp-aes esp-sha-hmac

mode tunnel

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile redProfile

set transform-set red

set pfs group2

!

crypto ipsec profile blueProfile

set transform-set blue

set pfs group2

!

!

interface Loopback10

description user-net

ip vrf forwarding red

ip address 10.102.179.173 255.255.255.240

no ip redirects

no ip proxy-arp

ip tcp adjust-mss 1400

shutdown

!

interface Loopback20

description Mgmt Net

ip vrf forwarding blue

ip address 10.108.78.61 255.255.255.252

no ip redirects

no ip proxy-arp

ip tcp adjust-mss 1400

!

interface Tunnel0

description DMVPN red

bandwidth 10000

ip vrf forwarding red

ip address 10.255.255.20 255.255.255.0

no ip redirects

no ip proxy-arp

ip mtu 1388

ip nhrp authentication dmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.255.255.1 19.25.132.164

ip nhrp map multicast 19.25.132.164

ip nhrp network-id 100

ip nhrp holdtime 300

ip nhrp nhs 10.255.255.1

ip nhrp server-only

ip nhrp registration no-unique

ip tcp adjust-mss 1348

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key xx

tunnel path-mtu-discovery

tunnel protection ipsec profile redProfile

!

interface Tunnel1

description DMVPN blue

bandwidth 10000

ip vrf forwarding blue

ip address 10.0.17.10 255.255.192.0

no ip redirects

no ip proxy-arp

ip mtu 1360

ip nhrp authentication dmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.0.0.1 19.25.132.174

ip nhrp map multicast 19.25.132.174

ip nhrp network-id 101

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

ip nhrp server-only

ip nhrp registration no-unique

ip tcp adjust-mss 1320

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key xx

tunnel path-mtu-discovery

tunnel protection ipsec profile blueProfile

!

!

interface GigabitEthernet0/0/0

description uplink

ip address 10.108.77.13 255.255.255.248

negotiation auto

!

!

router bgp 6207

bgp router-id 10.0.17.13

bgp log-neighbor-changes

!

address-family ipv4 vrf blue

redistribute connected

neighbor 10.0.0.1 remote-as 65421

neighbor 10.0.0.1 description *** eBGP_Peering_blue ***

neighbor 10.0.0.1 password 7 xxx

neighbor 10.0.0.1 timers 10 30

neighbor 10.0.0.1 activate

neighbor 10.0.0.1 route-map Drop_All_Prefix_In in

neighbor 10.0.0.1 route-map Prefix_Out_blue

exit-address-family

!

address-family ipv4 vrf red

redistribute connected

neighbor 10.255.255.1 remote-as 65421

neighbor 10.255.255.1 description *** eBGP_Peering_red ***

neighbor 10.255.255.1 password 7 xxx

neighbor 10.255.255.1 timers 10 30

neighbor 10.255.255.1 activate

neighbor 10.255.255.1 route-map Drop_All_Prefix_In in

neighbor 10.255.255.1 route-map Prefix_Out_red

exit-address-family

!

ip route 0.0.0.0 0.0.0.0 10.108.77.9

ip route vrf blue 0.0.0.0 0.0.0.0 10.0.0.1

ip route vrf red 0.0.0.0 0.0.0.0 10.255.255.1

!

!

ip prefix-list MGT description

ip prefix-list MGT seq 10 permit 10.108.78.0/25 le 32

!

ip prefix-list No-Route description Reject all Routes

ip prefix-list No-Route seq 10 deny 0.0.0.0/0 le 32

!

ip prefix-list red_NET description Downstream TF-Hotspot-Range

ip prefix-list red_NET seq 10 permit 10.102.123.0/24 le 32

ip prefix-list red_NET seq 20 permit 10.102.161.0/25 le 32

ip prefix-list red_NET seq 30 permit 10.102.179.0/24 le 32

ip prefix-list red_NET seq 40 permit 10.102.163.0/24 le 32

ip prefix-list red_NET seq 50 permit 10.102.180.0/24 le 32

!

route-map Drop_All_Prefix_In permit 10

description Due to Static Routing deny any incoming Routes

match ip address prefix-list No-Route

!

route-map Prefix_Out_red premit 10

match ip address prefix-list red_NET

!

route-map Prefix_Out_blue permit 10

description propagate MGT

match ip address prefix-list MGT

--------------------------------------------!----

ASR--1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
     1 19.25.132.164    10.255.255.1  NHRP 00:39:23     S

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
     1 19.25.132.174        10.0.0.1    UP 00:39:23     S

The tunnel goes in NHRP state after 30 seconds.

regards

Eberhard

Hi,

your config is very similar to tha I test, on my ASR not support 2 diferent Ipsec profiles (I dont know why), I configured one shared profile separating the key with fqdn. I hope that this its a problem with IOS an that can resolve.

I share the config that work for me, I hope that this help.

crypto keyring cisco

  pre-shared-key hostname branch.branchA.com key keyA

  pre-shared-key hostname cpe_maqueta_vpn2.branchB.com key keyB

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

crypto isakmp keepalive 60

crypto isakmp profile cisco

   keyring cisco

   self-identity fqdn

   match identity host domain branchA.com

   match identity host domain branchB.com

   initiate mode aggressive

!

crypto ipsec transform-set cisco esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile cisco

set transform-set cisco

set isakmp-profile cisco

!

interface Tunnel11

-------------------------------

YOUR CONFIG

-------------------------------

tunnel protection ipsec profile cisco shared

!

interface Tunnel12

-------------------------------

YOUR CONFIG

-------------------------------

tunnel protection ipsec profile cisco shared

Hi Acruzgreg,

thanks for your config.

I solved the problem with mine.

It is not possible to have the same tunnel source interface in both tunnels.

-----------------------

OLD

---------------------

Great,

I will test with this config,

thanks,,,