NHRP protocol fails in DMVPN

Xierachel · ‎07-24-2019

Ask for help Now I'm building a dmvpn, but I haven't succeeded in the NHRP protocol. Show ip NHRP on the hub has no entries. On the hub, debug NHRP appears as follows Jul 24 08:55:58.774: NHRP: if_up: Tunnel1 proto 'NHRP_IPv4' Jul 24 08:55:58.774: NHRP: Registration with Tunnels Decap Module succeeded Jul 24 08:55:58.774: NHRP: Adding all static maps to cache Jul 24 08:55:59.774: NHRP: Unable to send Registration - no NHSes configured Jul 24 16:56:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up Jul 24 08:56:00.774: NHRP: if_up: Tunnel1 proto 'NHRP_IPv4' Jul 24 08:56:00.774: NHRP: Registration with Tunnels Decap Module succeeded Jul 24 08:56:00.774: NHRP: Adding all static maps to cache Jul 24 08:56:00.774: NHRP: Unable to send Registration - no NHSes configured Jul 24 16:56:00: %LINK-3-UPDOWN: Interface Tunnel1, changed state to up Jul 24 08:56:01.774: NHRP: Unable to send Registration - no NHSes configured My configuration is as follows: hub： interface Tunnel1 ip address 192.168.9.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 10 ip nhrp holdtime 300 ip nhrp registration timeout 5 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 123456 spoke: interface Tunnel1 ip address 192.168.9.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco ip nhrp map multicast 11.11.11.11 ip nhrp map 192.168.9.1 11.11.11.11 ip nhrp network-id 10 ip nhrp holdtime 300 ip nhrp nhs 192.168.9.1 ip nhrp registration timeout 5 ip tcp adjust-mss 1360 tunnel source Dialer1 tunnel mode gre multipoint tunnel key 123456

Rob Ingram · ‎07-24-2019

Hi,
If the error " NHRP: Unable to send Registration - no NHSes configured" was generated on the hub, that would be correct becasue it's the hub and does not have an NHS configured.

The debugs from the spoke would provide more useful information.

Can you provide the full configuration of the hub and spoke routers?
Do the hub and spoke routers have connectivity between themselves? Can you ping the outside interface from the other router?

Xierachel · ‎07-25-2019

HI RJI,

The debugs from the spoke

*Jul 24 11:40:45.470: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 105
*Jul 24 11:40:45.470: src: 192.168.9.2, dst: 192.168.9.1
*Jul 24 11:40:45.470: NHRP: 133 bytes out Tunnel1
*Jul 24 11:40:45.470: NHRP: Resetting retransmit due to hold-timer for 192.168.9.1
*Jul 24 11:40:50.470: NHRP: Attempting to send packet through interface Tunnel1 via DEST dst 192.168.9.1
*Jul 24 11:40:50.470: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 105
*Jul 24 11:40:50.470: src: 192.168.9.2, dst: 192.168.9.1
*Jul 24 11:40:50.470: NHRP: 133 bytes out Tunnel1
*Jul 24 11:40:50.470: NHRP: Resetting retransmit due to hold-timer for 192.168.9.1
*Jul 24 11:40:55.470: NHRP: Attempting to send packet through interface Tunnel1 via DEST dst 192.168.9.1
*Jul 24 11:40:55.470: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 105
*Jul 24 11:40:55.470: src: 192.168.9.2, dst: 192.168.9.1
*Jul 24 11:40:55.470: NHRP: 133 bytes out Tunnel1

---------------------------------------------

HERE IS SPOKE CONFIGUATION

Cybertron-Core_2900#show running-config

crypto isakmp policy 10

encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key cybertron address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set cyber esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC
!
!
!
crypto dynamic-map cyber 10
reverse-route
!
!
crypto map cyber 10 ipsec-isakmp
set peer 183.238.XX.66
set transform-set cyber
match address VPN
!
crypto map map client authentication list remote
crypto map map isakmp authorization list remote
crypto map map client configuration address respond
crypto map map 10 ipsec-isakmp dynamic cyber
!
!
!
!
!
interface Tunnel1
ip address 192.168.9.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 183.238.XX.66
ip nhrp map 192.168.9.1 183.238.XX.66
ip nhrp network-id 10
ip nhrp holdtime 300
ip nhrp nhs 192.168.9.1
ip nhrp registration timeout 5
ip tcp adjust-mss 1360
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 123456
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.101
description Cybertron_Wlan
encapsulation dot1Q 101
ip address 192.168.101.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.102
description WLAN_GUEST
encapsulation dot1Q 102
ip address 192.168.102.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/2
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1352
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username 07554200194657 password 0 ALTCSSSSS
no cdp enable
!
router ospf 100
router-id 192.168.20.1
network 172.16.1.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
no ip http server

----------------------------

HUB CONFIGUATION

interface Tunnel1
ip address 192.168.9.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 300
ip nhrp registration timeout 5
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 255
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 123456
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip flow monitor netflow-monitor output
ip nat inside
no ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.10.254
!
interface GigabitEthernet0/1
ip address 183.238.XX.6 255.255.255.248
ip access-group denysip in
ip access-group fragments out
ip nat outside
no ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
media-type rj45
crypto map map
!
interface GigabitEthernet0/2
ip address 192.168.255.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
ip nat inside
ip virtual-reassembly in
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PRO_N
!
interface Dialer1
no ip address
!
router ospf 100
router-id 192.168.10.1
redistribute connected
redistribute static subnets
network 172.16.1.0 0.0.0.255 area 0
network 192.168.9.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0

-------------------------------------------------------------

Headquarters is fixed ip, can ping. The branch is adsl. Operators limit the inability to Ping

Rob Ingram · ‎07-25-2019

You don't have an IPSec profile attached to the Tunnel interfaces, therefore the traffic would be unencrypted GRE. Is GRE permitted inbound to both routers? If the operators are blocking ping, could they be blocking other communication?

Take a packet-capture on the hub router and confirm whether you see any inbound traffic from the spoke

HTH