08-15-2017 06:55 AM - edited 02-21-2020 09:24 PM
We have many routers that are running dmvpn connections back to corporate office. these spoke routers all have a few dmvpn tunnels. tunnels goes as follows: Main(tunnel0), Backup(tunnel1), Cellular backup(tunnel2). I have found that randomly the main tunnel will lose connection and not be able to reconnect. the debugs indicate key mismatch. But with out changing the key I can restart the spoke and then all the tunnels will connect just fine. And I must stress that the only way I have found to get the main tunnel to connect is to restart the router. nothing else I have found will get it to connect.
I have tried shutting and no shutting the tunnel.
I have tried removing and re adding the cryptp isakmp key then reseting the tunnel.
I have tried adjusting the isakmp key by removing the subnet mask from it. second to that I removes a mask from one and left others
here is the isakmp keys. note address2 and address0 are on the same subnet different IP and different hub routers. the keys are different between the 3.
crypto isakmp key "key2" address "address2" no-xauth
crypto isakmp key "key0" address "address0" 255.255.255.248 no-xauth
crypto isakmp key "key1" address "address1" 255.255.255.224 no-xauth
Here is the tunnels
interface Tunnel0
bandwidth 512
ip address "spoke IP0" 255.255.255.0
no ip redirects
ip nhrp authentication "pw0"
ip nhrp map "hub ip0" "address0"
ip nhrp map multicast "address0"
ip nhrp network-id 1
ip nhrp nhs "hub ip0"
zone-member security inside
nhrp group 3MB
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 50
tunnel protection ipsec profile net1 shared
!
interface Tunnel1
bandwidth 256
ip address "spoke IP1" 255.255.255.0
no ip redirects
ip nhrp authentication "pw1"
ip nhrp map multicast "address1"
ip nhrp map "hub IP1" "address1"
ip nhrp network-id 10
ip nhrp nhs "hub IP1"
zone-member security inside
nhrp group 3MB
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile net1 shared
!
interface Tunnel2
bandwidth 128
ip address "spoke IP2" 255.255.255.0
no ip redirects
no ip unreachables
ip nhrp authentication "pw0"
ip nhrp map multicast "address2"
ip nhrp map "Hub IP2" "address2"
ip nhrp network-id 1
ip nhrp nhs "Hub IP2"
zone-member security inside
tunnel source Cellular0/3/0
tunnel mode gre multipoint
tunnel key 150
tunnel protection ipsec profile net2 shared
the tunnels are basicly the same on many others router where there is no issues. the main difference is ios version. This routers version is 15.5(3)M2. Any thoughts on why this would be? of you need anything else please let me know.
08-15-2017 01:06 PM
Hi Mike,
You are right, this looks far away from being a key mismatch. Could you please share the debugs you have. I do not mind having a look :)
Moh,
08-16-2017 08:09 AM
this time I do not see the key mismatch. but I did notice from some reason the cellular interface is showing up on the hub. it should not this hub is only the primary tunnel. and the tunnel for the cellular interface is a completely different router. based on that I shut down the cellular interface and reset the main tunnel (tunnel0). it connected fine. I unshut the cellular then that connected as well. now they are all connected and working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide