Unable to pass traffic on the Dynamic Multipoint VPN tunnel (Hub-Spoke)

aejimenez21 · ‎12-27-2016

I have a problem between the tunnels on my Hub-Spoke topology. I can ping the two interfaces of internet but i can't between the tunnels. I let you know the config i have.

HUB:

interface Tunnel0
ip address 172.40.254.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source (Internet interface)
tunnel mode gre multipoint

ip route 0.0.0.0 0.0.0.0 (public IP)

------------------------------------

Spokes:

interface Tunnel25
ip address 172.40.254.2 255.255.255.252
ip mtu 1400
ip nhrp map multicast (Public IP internet)
ip nhrp map 172.16.0.1 (Public IP internet)
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
tunnel source (Interface WAN DHCP)
tunnel destination (Public IP Internet)

ip route 0.0.0.0 0.0.0.0 (Internet route)

-----------------------------------------

Debug from Spoke:

ec 27 13:01:06.395: NHRP: Setting retrans delay to 64 for nhs dst 172.40.254.1

Dec 27 13:01:06.395: NHRP-ATTR: Requester Ext Len: Total ext_len with NHRP att
ribute VPE 56

Dec 27 13:01:06.395: NHRP: Attempting to send packet via DEST 172.40.254.1
Dec 27 13:01:06.395: NHRP: Send Registration Request via Tunnel25 vrf 0, packet
size: 108
Dec 27 13:01:06.395: src: 172.40.254.2, dst: 172.40.254.1
Dec 27 13:01:06.395: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
Dec 27 13:01:06.395: shtl: 4(NSAP), sstl: 0(NSAP)
Dec 27 13:01:06.395: pktsz: 108 extoff: 52
Dec 27 13:01:06.395: (M) flags: "unique nat ", reqid: 65540
Dec 27 13:01:06.395: src NBMA: 190.37.128.96
Dec 27 13:01:06.395: src protocol: 172.40.254.2, dst protocol: 172.40.254.1

Dec 27 13:01:06.395: (C-1) code: no error(0)
Dec 27 13:01:06.395: prefix: 32, mtu: 17912, hd_time: 7200
Dec 27 13:01:06.395: addr_len: 0(NSAP), suba.ddr_len: 0(NSAP), proto_len:
0, pref: 0
Dec 27 13:01:06.395: Responder Address Extension(3):
Dec 27 13:01:06.395: Forward Transit NHS Record Extension(4):
Dec 27 13:01:06.395: Reverse Transit NHS Record Extension(5):
Dec 27 13:01:06.395: Authentication Extension(7):
Dec 27 13:01:06.395: type:Cleartext(1), data:xxxx
Dec 27 13:01:06.395: NAT address Extension(9):
Dec 27 13:01:06.395: (C-1) code: no error(0)
Dec 27 13:01:06.395: prefix: 32, mtu: 17912, hd_time: 0
Dec 27 13:01:06.395: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len:
4, pref: 0
Dec 27 13:01:06.395: client NBMA: (Public IP Internet)
Dec 27 13:01:06.395: client protocol: 172.40.254.1
Dec 27 13:01:06.395: NHRP: 136 bytes out Tunnel25
Dec 27 13:01:06.395: NHRP-RATE: Retransmitting Registration Request for 172.40.2
54.1, reqid 65540, (retrans ivl 64 sec)....
Success rate is 0 percent (0/5)

Rahul Govindan · ‎12-28-2016

Your config looks almost correct. a few things of notice:

1) The subnet mask on the tunnel interfaces on the hub and spoke are different.

2) Not sure what "172.16.0.1" ip address is. This should be the Hub tunnel ip address.

The logs show NHRP trying to register with the hub. Do you have the same logs from the Hub?If the registration is complete, then the "show ip nhrp" output on the spoke should show the Spokes tunnel and public ip address

Again, one problem could be that GRE (ip protocol 47) packets might be blocked in the path, causing the nhrp registration packets never to make it to the Hub. Debugs and captures on the Hub should confirm this.

aejimenez21 · ‎12-28-2016

Hi Rahul,

Sorry it was my mistake, check it out again the config and let me know any advice. In the other hand i did another config with just tunnel GRE with the same ISPs involved in the DMVPN config and it worked perfectly.

HUB:

interface Tunnel0
ip address 172.40.254.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source (Internet interface)
tunnel mode gre multipoint

ip route 0.0.0.0 0.0.0.0 (public IP)

------------------------------------

Spokes:

interface Tunnel25
ip address 172.40.254.2 255.255.255.252
ip mtu 1400
ip nhrp map multicast (Public IP internet)
ip nhrp map 172.40.254.1 (Public IP internet)
ip nhrp network-id 1
ip nhrp nhs 172.40.254.1
ip tcp adjust-mss 1360
tunnel source (Interface WAN DHCP)
tunnel destination (Public IP Internet)

ip route 0.0.0.0 0.0.0.0 (Internet route)

aejimenez21 · ‎12-28-2016

Rahul,

If you see the attachment in the first post you can see the NHRP registration. Everything looks good until i try to ping between the tunnels.

Rahul Govindan · ‎12-29-2016

Missed the attachment. Yeah, on the hub it looks like the spoke is registered. It could be that the traffic in the direction from hub to spoke is blocked. That is why the spoke never receives response for registration packet, even though we know hub received it. I would say best way to confirm the problem is collect captures on the WAN interface of both hub and spoke for packets between Gre tunnel source and destination.

Jose Zapata (AMAGI) · ‎02-20-2019

good afternoon

I am configuring a tunnel between two routers, one of them has internet access through a fixed public IP and the other has a dynamic public IP.

I can ping from end to end towards the fixed public IP, however, when configuring the tunnel it shows me the following message on one of the routers:

*Feb 20 16:37:59.069: NHRP-RATE: Retransmitting Registration Request for 10.201.201.1, reqid 66211, (retrans ivl 64 sec)
*Feb 20 16:38:51.737: NHRP-RATE: Retransmitting Registration Request for 10.201.201.1, reqid 66211, (retrans ivl 64 sec)
*Feb 20 16:40:04.109: NHRP-RATE: Retransmitting Registration Request for 10.201.201.1, reqid 66211, (retrans ivl 64 sec)
*Feb 20 16:40:57.957: NHRP-RATE: Retransmitting Registration Request for 10.201.201.1, reqid 66211, (retrans ivl 64 seC)

The tunnels are "UP". 

Routers 1 (fixed public IP)

R_GOLDATA_AMAGI-CANTV#show running-config interface tunnel 10
Building configuration...

Current configuration : 419 bytes
!
interface Tunnel10
description Conexion Tunel VPN
bandwidth 1024
ip address 10.201.201.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip flow egress
ip nhrp authentication v6224f8S
ip nhrp map multicast dynamic
ip nhrp network-id 908
ip nhrp holdtime 360
delay 1000
tunnel source FastEthernet0/0/1.410
tunnel mode gre multipoint
tunnel key 100000
end

Routers 2 (IP dynamc)

Trinidad#show running-config interface tunnel 10
Building configuration...

Current configuration : 464 bytes
!
interface Tunnel10
description Conexion Tunel VPN
bandwidth 1024
ip address 10.201.201.19 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication v6224f8S
ip nhrp map 10.201.201.1 190.202.27.140
ip nhrp network-id 908
ip nhrp holdtime 360
ip nhrp nhs 10.201.201.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Cellular0/1/0
tunnel destination 190.202.27.140
tunnel key 100000
end

I hope you can help me

Deepak Kumar · ‎02-20-2019

Hi,

You have missed multicast details on the spoke tunnel:

nterface Tunnel10
description Conexion Tunel VPN
bandwidth 1024
ip address 10.201.201.19 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication v6224f8S
ip nhrp map 10.201.201.1 190.202.27.140

ip nhrp map multicast 190.202.27.140

p nhrp network-id 908
ip nhrp holdtime 360
ip nhrp nhs 10.201.201.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Cellular0/1/0
tunnel destination 190.202.27.140
tunnel key 100000
end

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!