cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
0
Helpful
2
Replies

Main DMVPN tunnel randomly stops working

Mike Buyarski
Level 3
Level 3

We have many routers that are running dmvpn connections back to corporate office. these spoke routers all have a few dmvpn tunnels. tunnels goes as follows: Main(tunnel0), Backup(tunnel1), Cellular backup(tunnel2). I have found that randomly the main tunnel will lose connection and not be able to reconnect. the debugs indicate key mismatch. But with out changing the key I can restart the spoke and then all the tunnels will connect just fine. And I must stress that the only way I have found to get the main tunnel to connect is to restart the router. nothing else I have found will get it to connect.

I have tried shutting and no shutting the tunnel.

I have tried removing and re adding the cryptp isakmp key then reseting the tunnel.

I have tried adjusting the isakmp key by removing the subnet mask from it. second to that I removes a mask from one and left others

here is the isakmp keys. note address2 and address0 are on the same subnet different IP and different hub routers. the keys are different between the 3.

crypto isakmp key "key2" address "address2"    no-xauth
crypto isakmp key "key0" address "address0"    255.255.255.248 no-xauth
crypto isakmp key "key1" address "address1"   255.255.255.224 no-xauth

Here is the tunnels

interface Tunnel0
 bandwidth 512
 ip address "spoke IP0" 255.255.255.0
 no ip redirects
 ip nhrp authentication "pw0"
 ip nhrp map "hub ip0" "address0"
 ip nhrp map multicast "address0"
 ip nhrp network-id 1
 ip nhrp nhs "hub ip0"
 zone-member security inside
 nhrp group 3MB
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 50
 tunnel protection ipsec profile net1 shared
!
interface Tunnel1
 bandwidth 256
 ip address "spoke IP1" 255.255.255.0
 no ip redirects
 ip nhrp authentication "pw1"
 ip nhrp map multicast "address1"
 ip nhrp map "hub IP1" "address1"
 ip nhrp network-id 10
 ip nhrp nhs "hub IP1"
 zone-member security inside
 nhrp group 3MB
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile net1 shared
!
interface Tunnel2
 bandwidth 128
 ip address "spoke IP2" 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nhrp authentication "pw0"
 ip nhrp map multicast "address2"
 ip nhrp map "Hub IP2" "address2"
 ip nhrp network-id 1
 ip nhrp nhs "Hub IP2"
 zone-member security inside
 tunnel source Cellular0/3/0
 tunnel mode gre multipoint
 tunnel key 150
 tunnel protection ipsec profile net2 shared

the tunnels are basicly the same on many others router where there is no issues. the main difference is ios version. This routers version is 15.5(3)M2. Any thoughts on why this would be? of you need anything else please let me know.

2 Replies 2

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi Mike,

You are right, this looks far away from being a key mismatch. Could you please share the debugs you have. I do not mind having a look :)

Moh,

this time I do not see the key mismatch. but I did notice from some reason the cellular interface is showing up on the hub. it should not this hub is only the primary tunnel. and the tunnel for the cellular interface is a completely different router. based on that I shut down the cellular interface and reset the main tunnel (tunnel0). it connected fine. I unshut the cellular then that connected as well. now they are all connected and working.