11-16-2012 10:04 AM - edited 02-21-2020 06:29 PM
Hello
Can you please advice me on the following: there is a DMVPN setup and I can ping the IP addresses end to end from both sides; but when doing the
11-19-2012 01:19 AM
Hello any advice on this please?
Thanks
11-19-2012 11:44 PM
Could you post some vpn config? Looks like something is wrong there.
11-20-2012 05:16 AM
Thanks Pieter
Here are some configs for it:
Please let me know if you need more information:
Remote Side
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ABCD address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
interface Tunnel0
bandwidth 128
ip address 10.146.17.169 255.255.255.224
ip access-group backup.acl out
no ip redirects
ip mtu 1400
ip nhrp authentication ABCDEF
ip nhrp map multicast dynamic
ip nhrp map multicast XXX.XXX.XXX.XXX (Public IP)
ip nhrp map 10.146.17.161 XXX.XXX.XXX.XXX (Public IP)
ip nhrp network-id 146146
ip nhrp holdtime 300
ip nhrp nhs 10.146.17.161
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1360
tunnel source FastEthernet0/1.30
tunnel mode gre multipoint
tunnel key 641641
tunnel protection ipsec profile SDM_Profile1
!
!
interface FastEthernet0/1.30
description XXXX
bandwidth 128
encapsulation dot1Q 30
ip address 10.146.17.93 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
Hub Side
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ABCD address 0.0.0.0 0.0.0.0
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
interface Tunnel0
bandwidth 4096
ip address 10.146.17.161 255.255.255.224
ip access-group backup.acl out
no ip redirects
ip accounting output-packets
ip mtu 1400
ip hello-interval eigrp 146 15
ip hold-time eigrp 146 45
no ip next-hop-self eigrp 146
ip nhrp authentication ABCDE
ip nhrp map multicast dynamic
ip nhrp network-id 146146
ip tcp adjust-mss 1360
no ip split-horizon eigrp 146
load-interval 30
delay 60000
tunnel source XXX.XXX.XXX.XXX (Public IP)
tunnel mode gre multipoint
tunnel key 641641
tunnel protection ipsec profile SDM_Profile1
crypto ipsec df-bit clear
!
interface GigabitEthernet0/1.184
description Internet
encapsulation dot1Q 184
ip address XXX.XXX.XXX.XXX (Public IP) 255.255.255.252
ip access-group Internet in
no ip redirects
no ip unreachables
no ip proxy-arp
end
11-20-2012 06:54 AM
Dear Kaushik,
Please check the following:
Can you ping from tunnel interface to tunnel interface?
Is EIGRP AS 146 up (show ip eigrp neighbors)?
Do you see the remote networks install in the active routing table (show ip route eigrp)?
Any recent changes?
HTH.
Portu.
Please rate any helpful posts
11-20-2012 06:58 AM
I also noticed this difference:
spoke side: ip nhrp authentication ABCDEF
hub side: ip nhrp authentication ABCDE
Perhaps your eigrp config is wrong, maybe you could post it also?
11-20-2012 07:17 AM
Sorry the authentication was a typo.
it sets up sometimes
HUBRouter#show dmvpn int tun 0
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 Remote End Public IP 10.146.17.169 UP 00:04:09 DN
But looses the peering again.
RemoteRouter#ping HUBEndPublicIP repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to HUBEndPublicIP, timeout is 2 seconds:
!!!!!!.!!!
Success rate is 90 percent (9/10), round-trip min/avg/max = 1168/1290/1616 ms
slb-pio-r-tech#
HubRouter#ping REMOTEEndPublicIP repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to REMOTEEndPublicIP timeout is 10 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1260/1798/3244 ms
But there is ping losses sometimes which are very highl could that cause issue to destablize the VPN?
thanks again
11-20-2012 07:36 AM
Yes, please check with your ISP and fix the issue first.
HTH.
Portu
12-17-2012 11:08 AM
I have been able to setup a stable connection but still the vpn is not passing traffic;
one thing i see is when i do a show crypto session the remote router shows local and remote ports as 4500 but the hub router shows local port as 4500 and remote as 6xxxx which keeps on changing. could it be causing issues to establish the correct path, and should the port should be same on both side?
Thanks in advance.
12-17-2012 11:54 AM
Is there anyone who could help me with the above please?
thanks
12-17-2012 12:06 PM
Can you post the ACL backup.acl which is applied on HUB site tunnel 0, also post your EIGRP config.
With Regards,
Safwan
12-17-2012 12:13 PM
This one as well, ACL Internet applied on HUB site interface GigabitEthernet0/1.184.
With Regards,
Safwan
12-17-2012 12:28 PM
Thanks Safwan for your reply:
Here are the details you want:
ip access-list extended backup.acl
permit ip host 10.146.0.83 any
permit ip host 10.146.0.42 any
permit ip host 10.146.0.24 any
permit ip host 10.146.0.124 any
permit ip host 10.146.0.44 any
permit ip host 10.146.0.35 any
permit ip host 10.146.1.140 any
deny ip any 10.146.51.0 0.0.0.255
deny ip any 10.146.50.0 0.0.0.255
deny ip any 10.146.52.0 0.0.0.255
deny ip any 10.146.54.0 0.0.0.255
deny ip any 10.146.55.0 0.0.0.255
deny ip any 10.146.56.0 0.0.0.255
deny ip any 10.146.57.0 0.0.0.255
deny ip any 10.146.58.0 0.0.0.255
deny ip any 10.146.63.0 0.0.0.255
deny ip any 10.146.150.0 0.0.0.255
deny ip any 10.146.151.0 0.0.0.255
deny ip any 10.146.152.0 0.0.0.255
deny ip any 10.146.154.0 0.0.0.255
deny ip any 10.146.155.0 0.0.0.255
deny ip any 10.146.156.0 0.0.0.255
deny ip any 10.146.157.0 0.0.0.255
deny ip any 10.146.158.0 0.0.0.255
deny ip any 10.146.163.0 0.0.0.255
deny ip host 10.146.1.111 any
deny ip any 10.146.17.240 0.0.0.15
permit ip any any
-----------------------------------------------------
!
router eigrp 146
distribute-list filter.acl out
network 10.146.0.0 0.0.255.255
network 129.87.194.177 0.0.0.0
network 192.168.1.0
network 192.168.253.0
redistribute static route-map mgmt.map
passive-interface GigabitEthernet0/1.80
passive-interface GigabitEthernet0/1.184
eigrp router-id 10.146.17.2
!
----------------------------------------------------------------------------
ip access-list extended Internet
permit icmp any any
permit tcp 137.237.226.0 0.0.0.255 host 212.39.180.62 eq 22
permit esp host 193.195.220.120 host 212.39.180.62
permit udp host 193.195.220.120 host 212.39.180.62 eq isakmp
permit udp host 193.195.220.120 host 212.39.180.62 eq non500-isakmp
permit esp host 12.47.179.107 host 212.39.180.62
permit udp host 12.47.179.107 host 212.39.180.62 eq isakmp
permit udp host 12.47.179.107 host 212.39.180.62 eq non500-isakmp
permit tcp 62.92.160.0 0.0.0.255 host 212.39.180.62 eq 22
permit esp 64.30.159.0 0.0.0.255 host 212.39.180.62
permit gre 64.30.159.0 0.0.0.255 host 212.39.180.62
permit udp 64.30.159.0 0.0.0.255 host 212.39.180.62 eq isakmp
permit udp 64.30.159.0 0.0.0.255 host 212.39.180.62 eq non500-isakmp
permit ip 64.30.159.0 0.0.0.255 host 212.39.180.62
permit udp host 195.220.94.163 host 212.39.180.62 eq ntp
deny ip any any log
please let me know your thoughts.
thanks
12-17-2012 01:30 PM
With Regards,
Safwan
12-17-2012 01:39 PM
Thanks Safwan
is the remote router IOS version: advipservicesk9-mz.124-22.T5
the DMVPN is a backup to the main link so i think i would not be able to see it?
the distribute list acl is as follows:
ip access-list standard filter.acl
deny 10.146.17.128 0.0.0.31
deny 10.146.17.0 0.0.0.63
permit any
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide