Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
8
Replies

DMVPN Tunnel not coming up at hub

dmurray
Level 1
Level 1

‎06-02-2008 06:19 AM - edited ‎03-09-2019 08:49 PM

I'm using DocID 41940 as guidance.

Currently one hub, two satellites. Configured in accordance with reference configs on pages 25-28 of the downloaded PDF.

Problem: Hub Site NHRP does not appear to be coming online. Also, Tunnel0 at the hub is showing state of Up/Down.

NHRP on site 1 is up as is the tunnel.

No routes are being exchanged, though this is expected since the hub tunnel does not appear operational

What am I missing. I'm sure its something silly, but I've been beating on this for a couple of weeks, and I'm just not seeing it.

UNCLE!

Labels:
0 Helpful
8 Replies 8

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-02-2008 06:53 AM

Hello

> What IOS version are you running on all the routers?

> Is it possible to post the configuration of one of the working sites and one that is not working as desired?

Regards

Farrukh

0 Helpful

dmurray
Level 1
Level 1
In response to Farrukh Haroon

‎06-02-2008 08:03 AM

12.4

two 1811 ISRs. two wireless, one wired.

0 Helpful

srue
Level 7
Level 7
In response to dmurray

‎06-02-2008 08:13 AM

can you post the configs?

0 Helpful

dmurray
Level 1
Level 1
In response to srue

‎06-02-2008 08:34 AM

Here are is the config (Attached). Culled from the cisco document noted above.

Oh, and by the way, I finally saw the error.... on the actual routers, all the interfaces are FAST ethernet. When I pasted the configs in, I negelected to change the entry from 'tunnel source Ethernet0' to 'tunnel source FASTethernet0' on the hub.

GAWD... I looked and looked and looked, but somehow it just never registered till just now. I need new eyes or something.

Ah well. I knew it was simple.

Preview file
5 KB
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dmurray

‎06-02-2008 10:56 AM

"Oh, and by the way, I finally saw the error.... on the actual routers, all the interfaces are FAST ethernet...... "

So is it working now? Btw why you have not permitted ISAKMP udp traffic on the incoming ACLs on all routers?

Regards

Farrukh

0 Helpful

dmurray
Level 1
Level 1
In response to Farrukh Haroon

‎06-02-2008 11:14 AM

It seems to be.

Not sure why I didn't add the ISAKMP automatically, I certainly can permit it, though. Shouldn't not having it break the config?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dmurray

‎06-02-2008 11:30 AM

AFAIK, it should break it for sure. On a stateful firewall like CBAC,ASA/PIX you can sometimes get away with it, if the side from the 'inside' is initiating the ISAKMP udp connection the return traffic is automatically allowed back because of the 'state table'. But since these are stateless packet filters (Access Lists) it would be required.

Regards

Farrukh

0 Helpful

dmurray
Level 1
Level 1
In response to Farrukh Haroon

‎06-02-2008 03:40 PM

Thats wht I thought, and the exclusion of that entry was a complete oversight, however the fact that is still works makes one go "Hmmmm...."

:)

Thanks!

0 Helpful
Customers Also Viewed These Support Documents