Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6762
Views
10
Helpful
4
Replies

DMVPN Spoke behind PAT with 3 tunnels

sebastian.lemke
Level 1
Level 1

‎08-03-2012 08:01 AM - edited ‎02-21-2020 06:14 PM

Hi experts,

I have a DMVPN Spoke behind PAT, which has 3 Tunnels to different DMVPN Hubs (3 different Headquarter locations). 2 tunnels are not running stable, althoug the crypto isakmp sa's stay active (QM_IDLE) all the time.

Router is a 1841 running c1841-advsecurityk9-mz.124-15.T10

Here's the related Spoke config:

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30

crypto isakmp nat keepalive 20

crypto ipsec transform-set set3des esp-3des esp-sha-hmac

mode transport

crypto ipsec profile prof3des

set transform-set set3des

interface Tunnel1

ip address 10.10.140.28 255.255.255.0

ip mtu 1400

ip nhrp authentication prof3des

ip nhrp map 10.10.140.1 123.123.123.123

ip nhrp network-id 1000140

ip nhrp holdtime 600

ip nhrp nhs 10.10.140.1

ip virtual-reassembly

ip tcp adjust-mss 1360

tunnel source FastEthernet0/1

tunnel destination 123.123.123.123

tunnel key 1000140

tunnel protection ipsec profile prof3des shared

(Config of the other tunnels looks the same, instead of nhrp network-id, tunnel key and ip addresses)

Here

Spoke output of "show dmvpn" show both flapping tunnels during downtime with the state "NHRP", which means, there is some problem with NHRP:

Router#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 123.123.123.123    10.10.140.1  NHRP 00:11:37 S

Tunnel2, Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 234.234.234.234     10.10.70.1  NHRP 00:44:12 S

Tunnel3, Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 145.145.145.145     10.10.64.1    UP    5d19h S

Config of one of the Hub Routers:

interface Tunnel0

ip address 10.10.140.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication prof3des

ip nhrp map multicast dynamic

ip nhrp network-id 1000140

ip nhrp holdtime 600

ip virtual-reassembly

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 1000140

tunnel protection ipsec profile prof3des shared

(ISAKMP / IPSec Config is similar to Spoke, the other 2 hubs have similar configs as well)

Do I need to consider anything in this setup? Is it possible at all?

The PAT device (some kind of SOHO ADSL Router) is out of my control.

Thanks for your help!

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-03-2012 08:09 AM

Hard to say without more information (debug nhrp pack, debug nhrp ext and debug nhrp err).

I'm assuming there is no overlap and shared keyword is set where it needs.

I would start by setting no-unique flag in NHRP on spoke.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-69654F06-92CF-4124-8BF0-A1B8BBA44B02

Might be better to upen a case with TAC to have a better view.

sebastian.lemke
Level 1
Level 1
In response to Marcin Latosiewicz

‎08-03-2012 08:34 AM

Please see the requested debug attached (debug_nhrp.txt). This debug was done during a phase where 2 tunnels were "down" (forwarding no traffic).

Then suddenly out of nowhere, traffic is forwarded again:

Router#sh dmvp

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 123.123.123.123    10.10.140.1    UP 00:00:54 S

Tunnel2, Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 234.234.234.234     10.10.70.1    UP 00:01:13 S

Tunnel3, Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 145.145.145.145     10.10.64.1    UP    5d20h S

The attached file "debug_nhrp_working.txt" shows, what happens after the tunnels came "up" again. (In a few minutes, they will certainly be "down" again...)

Did I understand correctly - I should implement the following on all 3 Spoke Tunnel interfaces:

ip nhrp registration no-unique

What do you mean with "no overlap"? The PSK is set correctly on all involved routers. The temporary working connection proves, that the ISAKMP / IPSec config is OK an all routers.

(I replaced all public IPs in the debugs and the posted output. The LAN IP of Spoke is 192.168.0.244, which gets NATet to 199.199.199.199)

132736-debug_nhrp_working.txt.zip
0 Helpful

sebastian.lemke
Level 1
Level 1
In response to sebastian.lemke

‎08-07-2012 04:59 AM

I configured the "ip nhrp registration no-unique" on one of the Tunnel interfaces, but this did not make any change.

As you can see in the debugs, NHRP is detecting a loop:

Aug  3 17:14:43.275 CEST: NHRP: Loop detected while parsing Reverse Transit NHS Record extension

Aug  3 17:14:43.275 CEST: NHRP: Send Error Indication via Tunnel2 vrf 0, packet size: 289

Aug  3 17:14:43.275 CEST:  src: 10.10.70.228, dst: 10.10.70.1

Aug  3 17:14:43.275 CEST:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1

Aug  3 17:14:43.275 CEST:      shtl: 4(NSAP), sstl: 0(NSAP)

Aug  3 17:14:43.275 CEST:  (M) error code: loop detected(3), offset: 84

Aug  3 17:14:43.275 CEST:      src NBMA: 192.168.0.244

Aug  3 17:14:43.275 CEST:      src protocol: 10.10.70.228, dst protocol: 10.10.70.1

Aug  3 17:14:43.275 CEST:      Contents of error packet:

Aug  3 17:14:43.275 CEST:         00 00 00 00 05 EA 01 2C 04 00 04 00 C0 A8 00 F4

Aug  3 17:14:43.275 CEST:         0A D2 46 E4 00 00 00 00 05 EA 02 58 04 00 04 00

Aug  3 17:14:43.275 CEST:         C0 6D DE 24 0A D2 46 01 80 07 00 0B 00 00 00 01

Aug  3 17:14:43.275 CEST:         76 70 6E 63 75 73 74 00 09 00 28 00 20 00 00 05

Aug  3 17:14:43.275 CEST:         EA 00 00 04 00 04 00 C0 6D DE 24 0A D2 46 01 00

Aug  3 17:14:43.275 CEST: Authentication Extension(7):

Aug  3 17:14:43.275 CEST:   type:Cleartext(1), data:prof3des

Aug  3 17:14:43.275 CEST: NAT address Extension(9):

Does anybody know, what that means? How can I have a look in NHRP?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to sebastian.lemke

‎08-07-2012 05:08 AM

Sebastian,

I would look into routing and check where this NHRP request is looping and why (as obvious as it sounds).

What are you using for routing protocol?

If you need some help with this - run this by TAC, the guys can look at the big picture and narrow it down.

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents