Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5197
Views
0
Helpful
6
Replies

show dmvpn issue

Go to solution
ccg-security
Level 1
Level 1

‎10-21-2017 02:21 AM - edited ‎03-12-2019 04:38 AM

Hi Cisco Support,

 

May we request for your assistance as we are having an issue on "show dmvpn" as tunnel state are "ike". Is this a behavior of dmvpn? We have 4 tunnels, 1 is "UP" and 3 is"IKE". tunnel ips are reachable on Spoke router side to HUB.

Software Version is 15.2(4)M6a C2900 Router

 

Thanks!

 

Labels:
Preview file
57 KB
Preview file
63 KB
Preview file
32 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-21-2017 09:39 AM

Hi

 

Ike state means that your crypto hasn't been negotiated between peers.

You're pinging the wan IP used by the tunnel interface to come up but not the tunnel IP itself. 

 

can you share the output of show cry isak sa and show cry ipsec sa?

 

Have you run some debug crypto to see why you're stuck in Ike state? 

Are you using certificates or preshared key for ipsec? Validated that the key or certificates are correct. 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-21-2017 09:39 AM

Hi

 

Ike state means that your crypto hasn't been negotiated between peers.

You're pinging the wan IP used by the tunnel interface to come up but not the tunnel IP itself. 

 

can you share the output of show cry isak sa and show cry ipsec sa?

 

Have you run some debug crypto to see why you're stuck in Ike state? 

Are you using certificates or preshared key for ipsec? Validated that the key or certificates are correct. 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ccg-security
Level 1
Level 1
In response to Francesco Molino

‎10-23-2017 02:40 AM

Hi Francesco,

We are requesting for a "debug dmvpn detail crypto tunnel" to know where it stops and also if they can ping the tunnel ip instead the NBMA address.

Thanks!

0 Helpful

Go to solution
ccg-security
Level 1
Level 1
In response to ccg-security

‎10-23-2017 08:47 PM

Hi Francesco,

the resolution is to delete and import again the certificate. What could be the know issue for this case?

Thanks!
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ccg-security

‎10-24-2017 10:12 AM

Hi

did you checked your certificate were still valid? Have you done the debug? With these outputs, you'll be able to see where the issue was.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ccg-security
Level 1
Level 1
In response to Francesco Molino

‎10-24-2017 11:28 PM

Hi,
We didn't get any of the debugs and yes the certificates are still valid. I've ordered the client to get the debugs if the issue re occur.
Thanks!
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ccg-security

‎10-25-2017 04:51 AM

You're welcome. without debugs and clear output we can't do nothing.
Anyway, happy that reinstalling the certificate solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents