Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3579
Views
20
Helpful
22
Replies

One way traffic on DMVPN

Kaushik Ray
Level 1
Level 1

ā€Ž11-16-2012 10:04 AM - edited ā€Ž02-21-2020 06:29 PM

        Hello

Can you please advice me on the following: there is a DMVPN setup and I can ping the IP addresses end to end from both sides; but when doing the

show crypto ipsec  sa command one end is showing #pkts encaps and decaps to both have values but the other end only has encaps but no decaps.
any advice as to what could be causing this?
Many thanks in advance.
Labels:
0 Helpful
22 Replies 22

Kaushik Ray
Level 1
Level 1

ā€Ž12-17-2012 01:42 PM

one issue i am seeing which i would be grateful if you could kindly clarify

is on the hub router i am seeing this

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 64.30.159.34 port 61129

  IKE SA: local 212.39.180.62/4500 remote 64.30.159.34/61129 Active

  IPSEC FLOW: permit 47 host 212.39.180.62 host 64.30.159.34

        Active SAs: 2, origin: crypto map

on the remote end

sh crypto session

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 212.39.180.62 port 4500

  IKE SA: local 10.146.17.113/4500 remote 212.39.180.62/4500 Active

should not the hub have 4500 as the remote port as well? could it cause an issue? or is it irrelevant?

thanks

0 Helpful

Muhammed Safwan
Level 1
Level 1
In response to Kaushik Ray

ā€Ž12-18-2012 03:38 AM

Thats normal since your ISP is doing the pat for your spoke router ip . Since patting is in use you have to change ipsec mode from tranport to tunnel on hub and spoke.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

Do clear ip nhrp on HUB and Spoke and give a try.

Note: On your setup, tunnel will only come up if you are initiating the traffic  from spoke, So do a shut and no shut of tunnel interface on spoke router.

If I understood your problem correctly this will resolve the issue.

With Regards,

Safwan

Don't forget to rate helpful posts

Kaushik Ray
Level 1
Level 1
In response to Muhammed Safwan

ā€Ž12-18-2012 03:51 AM

thanks for your reply. but this is a setup that was working with an earlier version of the ISP device. this is a new device that they have started rolling out. the mode transport used to work with the previous setup. is it something they could have changed that would have affected this. they used to PAT on their side as well?

0 Helpful

Muhammed Safwan
Level 1
Level 1
In response to Kaushik Ray

ā€Ž12-18-2012 04:03 AM

Might be your ISP changed from static nat to pat or might be added one more router behind same public ip and port 4500 occupied by that new router.

For the crypto consideration, please check below link.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp37763

With Regards,

Safwan

Kaushik Ray
Level 1
Level 1
In response to Muhammed Safwan

ā€Ž12-18-2012 04:45 AM

Thanks

I will check that up:

below is the crytpo config; you still feel the 61129 is correct. the ISP device has a static Public IP assigned

to it; should it not come up as 4500 ?

Remote

sh run | include crypto ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Hub

sh run | include crypto ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

is already there. only this it still uses mode transport as part of the old setup which worked.

0 Helpful

Muhammed Safwan
Level 1
Level 1
In response to Kaushik Ray

ā€Ž12-18-2012 05:09 AM

If ISP is doing static nat for your spoke router ip then it should come up with 4500 , If ISP is doing the patting for your spoke router ip then tunnel will come up with different ports , this is normal scenario.

I would suggest you to add below configuration and give a try first.

on the Spoke.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

On the HUB

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

With Regards,

Safwan

Kaushik Ray
Level 1
Level 1
In response to Muhammed Safwan

ā€Ž12-18-2012 05:48 AM

thanks again

actually i cannot change the mode to tunnel as there is another live ipsec dmvpn tunnel which is live using another ISP provider uses the same tunnel and it is established and has traffic flowing through it.

Remote Router  < ---------- > Hub Router < ---------- > Backhaul Router

Hub to Backhaul tunnel is stablised uses

sh run | section crypto ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

#pkts encaps: 4665202, #pkts encrypt: 4665202, #pkts digest: 4665202

    #pkts decaps: 1787431, #pkts decrypt: 1787431, #pkts verify: 1787431

it uses 4500 on all possible ports for it as well.

Muhammed Safwan
Level 1
Level 1
In response to Kaushik Ray

ā€Ž12-18-2012 06:20 AM

Then ask your ISP to do the static nat for remote router ip and  make sure with them that udp/500,udp/4500 and esp ports are open between hub and remote router.

With Regards,

Safwan

0 Helpful
Customers Also Viewed These Support Documents