×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISSUE with DMVPN and mutiple IVRF ASR1000

Answered Question
Jan 27th, 2012
User Badges:

hello everyone,

I have a design with dmvpn where the hub is a router asr 1000 with public static IP addres and the spokes with ADSL, the spokes are branch office of  different clients (A y B), and I configured VRF in the HUB for separate the networks,  in the hub I  configured diferent tunnel for each client with  their VRF.

the DMVPN configuration is ok in  HUB and in SPOKES.,  the issue is that only work for one tunnel,  when  shutdown one tunnel in the HUB, the other tunnel get UP,  and backwards.



do you have any idea for that it happens ??



this is the design


DMVPN_ASR.PNG


thanks all

Correct Answer by Marcin Latosiewicz about 5 years 6 months ago

This is a very generic problem we need more details - is it tunnel interface status that goes down or IPsec goes down or no NHRP mappings are possible?


I think it's best you open a TAC case to investigate.


M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Sat, 01/28/2012 - 02:44
User Badges:
  • Cisco Employee,

This is a very generic problem we need more details - is it tunnel interface status that goes down or IPsec goes down or no NHRP mappings are possible?


I think it's best you open a TAC case to investigate.


M.

Acruzgreg Tue, 01/31/2012 - 13:43
User Badges:

the interface tunnels ip up in the mapping, the problem is that only one mapping of NHRP is up of the one spoke, when turn down this interface tunnel in the hub for this sopke, the other spoke goes up at the mapping nhrp and eigrp..


I check that in the phase 2 ipsec the encryption is one-way direcction in one vpn when the two interfaces tunnel is UP


thanks

eddschulz2 Wed, 02/13/2013 - 22:46
User Badges:

Hi Acruzgreq,


i do have the same Issue like you. On an Cisco C886VA-W-E-K9 the configuration is working without any problems. But not an ASR 1001 and ASR 1002. Do you get any response from TAC so far?


regards Ed

Acruzgreg Fri, 02/15/2013 - 08:25
User Badges:

Hi Eberhard,


can you attach the configuration that is  testing?


thanks

eddschulz2 Mon, 02/18/2013 - 01:15
User Badges:

Hi Acruzqreg,


the config below is the one which is working on an 886 and not on the ASR (same config even the ip addresses).


ip vrf blue

rd 6207:20

!

ip vrf red

rd 6207:10

!

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 30

authentication pre-share

crypto isakmp key XX address 19.24.132.14

crypto isakmp key XX address 19.24.132.14

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 60 5

!

!

crypto ipsec transform-set red esp-null esp-sha-hmac

mode tunnel

crypto ipsec transform-set blue esp-aes esp-sha-hmac

mode tunnel

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile redProfile

set transform-set red

set pfs group2

!

crypto ipsec profile blueProfile

set transform-set blue

set pfs group2

!

!

interface Loopback10

description user-net

ip vrf forwarding red

ip address 10.102.179.173 255.255.255.240

no ip redirects

no ip proxy-arp

ip tcp adjust-mss 1400

shutdown

!

interface Loopback20

description Mgmt Net

ip vrf forwarding blue

ip address 10.108.78.61 255.255.255.252

no ip redirects

no ip proxy-arp

ip tcp adjust-mss 1400

!

interface Tunnel0

description DMVPN red

bandwidth 10000

ip vrf forwarding red

ip address 10.255.255.20 255.255.255.0

no ip redirects

no ip proxy-arp

ip mtu 1388

ip nhrp authentication dmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.255.255.1 19.25.132.164

ip nhrp map multicast 19.25.132.164

ip nhrp network-id 100

ip nhrp holdtime 300

ip nhrp nhs 10.255.255.1

ip nhrp server-only

ip nhrp registration no-unique

ip tcp adjust-mss 1348

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key xx

tunnel path-mtu-discovery

tunnel protection ipsec profile redProfile

!

interface Tunnel1

description DMVPN blue

bandwidth 10000

ip vrf forwarding blue

ip address 10.0.17.10 255.255.192.0

no ip redirects

no ip proxy-arp

ip mtu 1360

ip nhrp authentication dmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.0.0.1 19.25.132.174

ip nhrp map multicast 19.25.132.174

ip nhrp network-id 101

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

ip nhrp server-only

ip nhrp registration no-unique

ip tcp adjust-mss 1320

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key xx

tunnel path-mtu-discovery

tunnel protection ipsec profile blueProfile

!

!

interface GigabitEthernet0/0/0

description uplink

ip address 10.108.77.13 255.255.255.248

negotiation auto

!

!

router bgp 6207

bgp router-id 10.0.17.13

bgp log-neighbor-changes

!

address-family ipv4 vrf blue

redistribute connected

neighbor 10.0.0.1 remote-as 65421

neighbor 10.0.0.1 description *** eBGP_Peering_blue ***

neighbor 10.0.0.1 password 7 xxx

neighbor 10.0.0.1 timers 10 30

neighbor 10.0.0.1 activate

neighbor 10.0.0.1 route-map Drop_All_Prefix_In in

neighbor 10.0.0.1 route-map Prefix_Out_blue

exit-address-family

!

address-family ipv4 vrf red

redistribute connected

neighbor 10.255.255.1 remote-as 65421

neighbor 10.255.255.1 description *** eBGP_Peering_red ***

neighbor 10.255.255.1 password 7 xxx

neighbor 10.255.255.1 timers 10 30

neighbor 10.255.255.1 activate

neighbor 10.255.255.1 route-map Drop_All_Prefix_In in

neighbor 10.255.255.1 route-map Prefix_Out_red

exit-address-family

!

ip route 0.0.0.0 0.0.0.0 10.108.77.9

ip route vrf blue 0.0.0.0 0.0.0.0 10.0.0.1

ip route vrf red 0.0.0.0 0.0.0.0 10.255.255.1

!

!

ip prefix-list MGT description

ip prefix-list MGT seq 10 permit 10.108.78.0/25 le 32

!

ip prefix-list No-Route description Reject all Routes

ip prefix-list No-Route seq 10 deny 0.0.0.0/0 le 32

!

ip prefix-list red_NET description Downstream TF-Hotspot-Range

ip prefix-list red_NET seq 10 permit 10.102.123.0/24 le 32

ip prefix-list red_NET seq 20 permit 10.102.161.0/25 le 32

ip prefix-list red_NET seq 30 permit 10.102.179.0/24 le 32

ip prefix-list red_NET seq 40 permit 10.102.163.0/24 le 32

ip prefix-list red_NET seq 50 permit 10.102.180.0/24 le 32

!

route-map Drop_All_Prefix_In permit 10

description Due to Static Routing deny any incoming Routes

match ip address prefix-list No-Route

!

route-map Prefix_Out_red premit 10

match ip address prefix-list red_NET

!

route-map Prefix_Out_blue permit 10

description propagate MGT

match ip address prefix-list MGT

--------------------------------------------!----

ASR--1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
     1 19.25.132.164    10.255.255.1  NHRP 00:39:23     S

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
     1 19.25.132.174        10.0.0.1    UP 00:39:23     S


The tunnel goes in NHRP state after 30 seconds.

regards

Eberhard

Acruzgreg Tue, 02/19/2013 - 09:42
User Badges:

Hi,


your config is very similar to tha I test, on my ASR not support 2 diferent Ipsec profiles (I dont know why), I configured one shared profile separating the key with fqdn. I hope that this its a problem with IOS an that can resolve.

I share the config that work for me, I hope that this help.


crypto keyring cisco

  pre-shared-key hostname branch.branchA.com key keyA

  pre-shared-key hostname cpe_maqueta_vpn2.branchB.com key keyB

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

crypto isakmp keepalive 60

crypto isakmp profile cisco

   keyring cisco

   self-identity fqdn

   match identity host domain branchA.com

   match identity host domain branchB.com

   initiate mode aggressive

!

crypto ipsec transform-set cisco esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile cisco

set transform-set cisco

set isakmp-profile cisco

!

interface Tunnel11

-------------------------------

YOUR CONFIG

-------------------------------

tunnel protection ipsec profile cisco shared

!

interface Tunnel12

-------------------------------

YOUR CONFIG

-------------------------------

tunnel protection ipsec profile cisco shared

eddschulz2 Fri, 02/22/2013 - 00:39
User Badges:

Hi Acruzgreg,


thanks for your config.


I solved the problem with mine.


It is not possible to have the same tunnel source interface in both tunnels.


-----------------------

OLD

---------------------

interface Tunnel0


description DMVPN red

tunnel source GigabitEthernet0/0/0

!


interface Tunnel1

description DMVPN blue

tunnel source GigabitEthernet0/0/0

-------------------------

Changed to>>>

------------------------

interface Tunnel0

description DMVPN red


tunnel source GigabitEthernet0/0/0

!

interface Tunnel1


description DMVPN blue

tunnel source lo10


and then the NHRP is not failing anymore.


regards

eb

Actions

This Discussion