Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2017
Views
8
Helpful
5
Replies

Dual DMVPN - EIGRP Routing Problem

rastaman2
Level 1
Level 1

‎10-26-2010 02:54 AM - edited ‎02-21-2020 04:55 PM

Hello Everyone,

I'm trying to set up an Dual DMVPN Topology with HSRP configured between the two Hub Routers.

HSRP  works fine. Concerning the VPN-Connection everything looks good too.  The Spoke Routers can connect to the Hub's LAN and the otherway around.  And the command "show crypto isakmp sa" shows two VPN-Connections (to  Hub A and Hub B)  on the Spoke Routers, but the output of "show ip  route" only has one dynamic learned entry for Hub A. The Spoke does not  learn a Route to Hub B and Hub B only learns a Route for the  Tunnel-Network of Hub A over the HSRP-LAN-Interface.

You guys got any suggestions on how to get this working ? :smileyvery-happy:

Greetings

Thomas

Spoke : show crypto isakmp sa

A_HS_01#sh cr is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.1     192.168.1.25    QM_IDLE           1002    0 ACTIVE
192.168.1.5     192.168.1.25    QM_IDLE           1081    0 ACTIVE


IPv6 Crypto ISAKMP SA

Spoke: show ip route

A_HS_01#sh ip route eigrp
     172.16.0.0/24 is subnetted, 2 subnets
D       172.16.1.0 [90/3072000] via 10.10.10.1, 00:46:33, Tunnel1

Spoke: config

interface Tunnel1
 description *** HS_VPN_01 ***
 bandwidth 1000
 ip address 10.10.10.10 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication test
 ip nhrp map 10.10.10.1 192.168.1.1
 ip nhrp map multicast 192.168.1.1
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 10.10.10.1
 ip nhrp cache non-authoritative
 load-interval 30
 delay 1000
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile xxx
!
interface Tunnel2
 description *** HS_VPN_02 ***
 bandwidth 1000
 ip address 10.10.11.10 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication test
 ip nhrp map 10.10.11.1 192.168.1.5
 ip nhrp map multicast 192.168.1.5
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip nhrp nhs 10.10.11.1
 ip nhrp cache non-authoritative
 load-interval 30
 delay 1050
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile xxx
!
!interface FastEthernet0/0
 description *** Kunden-LAN ***
 ip address 172.16.10.1 255.255.255.0
 no ip redirects
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description *** OUTSIDE (zum CoCo) ***
 ip address 192.168.1.25 255.255.255.252
 duplex auto
 speed auto
!
router eigrp 1
 network 10.10.10.0 0.0.0.255
 network 10.0.0.0
 network 172.16.10.0 0.0.0.255
 no auto-summary
!


HUB A: show ip route eirp

HS_VPN_01#sh ip route eigrp
     172.16.0.0/24 is subnetted, 2 subnets
D       172.16.10.0 [90/2818560] via 10.10.10.10, 00:07:57, Tunnel1
     10.0.0.0/24 is subnetted, 2 subnets
D       10.10.11.0 [90/3072000] via 172.16.1.3, 00:52:56, FastEthernet0/0

Hub A: config

interface Tunnel1
 description *** Netz HS ***
 bandwidth 1000
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 no ip next-hop-self eigrp 1
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 load-interval 30
 delay 1000
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile xxx
!
interface FastEthernet0/0
 description *** Kunden-LAN ***
 ip address 172.16.1.2 255.255.255.0
 no ip redirects
 delay 1000
 duplex auto
 speed auto
 standby 1 ip 172.16.1.254
 standby 1 priority 20
 standby 1 preempt
 standby 1 name LAN
 standby 1 track FastEthernet0/1
!
interface FastEthernet0/1
 description *** OUTSIDE (zum CoCo) ***
 ip address 192.168.1.1 255.255.255.252
 duplex auto
 speed auto
!
router eigrp 1
 network 10.10.10.0 0.0.0.255
 network 172.16.1.0 0.0.0.255
 no auto-summary
!


Hub B: sh ip route eigrp

HS_VPN_02#sh ip route eigrp
     172.16.0.0/24 is subnetted, 2 subnets
D       172.16.10.0 [90/3087360] via 172.16.1.2, 00:10:49, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
D       10.10.10.0 [90/3084800] via 172.16.1.2, 01:41:56, FastEthernet0/0


Hub B: config

interface Tunnel1
 description *** Netz HS ***
 bandwidth 1000
 ip address 10.10.11.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 no ip next-hop-self eigrp 1
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 1
 load-interval 30
 delay 1000
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile HeinrichSchmidt
!
interface FastEthernet0/0
 description *** Kunden-LAN ***
 ip address 172.16.1.3 255.255.255.0
 no ip redirects
 delay 1050
 duplex auto
 speed auto
 standby 1 ip 172.16.1.254
 standby 1 priority 19
 standby 1 preempt
 standby 1 name LAN
 standby 1 track FastEthernet0/1
!
interface FastEthernet0/1
 description *** OUTSIDE (zum CoCo) ***
 ip address 192.168.1.5 255.255.255.252
 duplex auto
 speed auto
!
router eigrp 1
 network 10.10.11.0 0.0.0.255
 network 172.16.1.0 0.0.0.255
 no auto-summary
!
Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-26-2010 09:39 AM

Thomas,

First of all, tunnel protection and tunnel keepalives do no mix. I'm not aware of any chnages in this behavior unless it changed very recently.

Regarding meritum, does the spoke see neighbors via both tunnel interfaces. I'd check also eigro topo:

- show ip eigrp neigh

- sh ip eigrp topology 172.16.0.0/24

Hope that helps, you might get a better/faster response to this in routing forums on CSC :-)

Marcin

rastaman2
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-27-2010 01:01 AM

Hey Marcin,

thanks for your reply and the hint with the tunnel keepalives, I did not know this, since I am still a trainee as an ict-specialist and oriantated oneself on exicsting configurations when I did this :-P

unfortunatly I only see one eigrp neighbor on the spoke throug Tunnel Interface 1:

A_HS_01#sh ip eigrp neigh
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.10.10.1              Tu1               10 00:35:35    1   200  0  22

I hope you did mean "sh ip eigrp topology" for the network 172.16.1.0 /24 because for 172.16.0.0 /24 I only get the message "% IP-EIGRP (AS 1): Route not in topology table"

A_HS_01#sh ip eigrp topology 172.16.1.0 255.255.255.0
IP-EIGRP (AS 1): Topology entry for 172.16.1.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 3072000
  Routing Descriptor Blocks:
  10.10.10.1 (Tunnel1), from 10.10.10.1, Send flag is 0x0
      Composite metric is (3072000/281600), Route is Internal
      Vector metric:
        Minimum bandwidth is 1000 Kbit
        Total delay is 20000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1300
        Hop count is 1

Your idea with the routing forums sounds good to me :-) is there a way to move this post to that forum or do i need to write a new one ?

Greetings.

Thomas

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to rastaman2

‎10-27-2010 01:09 AM

Thomas,

I think only moderators can move a thread around, I'm not one.

But it seems it might be too early to move the thread to routing.

An adjacancy should be formed via both tunnels.

I see another possible configuration problem.

You're using same tunnel source interface and same ipsec profile "xxx" you are missing a "shared" keyword on it.

Once you have this in, can you please check (after shut/no shut on tunnel interfaces just in case)

On hub and spokes.

"show crypto isa sa"

"show crypto ipsec sa | i ident|caps|spi"
"show ip nhrp detail"

Marcin

rastaman2
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-27-2010 11:43 PM

Marcin,

you are talking about the source interface on the spoke ? unfortunatly it has to be the same interface, because we are using cisco 1841 with only two interfaces, one for LAN and one for WAN, or is it possible to create subinterfaces? if it will be nessasary to do so? how will I do it, as there is only one LAN-Networkaddresspace and I think the subinterfaces will have an address conflict then :-(?

Further its not realy clear to me what you mean with a shared keyword in the ipsec profile. In the profile itself I only can set the following things.

identity
isakmp-profile
pfs
security-association
transform-set

Regards, Thomas

edit:

I now created two seperate ipsec profiles for each tunnel but still no success...

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to rastaman2

‎10-28-2010 01:14 AM

Thomas,

Regarding shared keyword :-)

BB_966(config)#int tu 0

BB_966(config-if)#tunnel protection ipsec profile BOGUS ?
  shared  Use a shared socket for the crypto connection.
 

A bit more about this you can find here:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/share_ipsec_w_tun_protect_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047623


I don't think you need ot create subinterfaces. Shared keyword should be enough.

That being said, I don't even know if we have IPsec and NHRP up, that's why I asked for additional outputs in my previous post.

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents