I've got a problem with developing a DMVPN network using the following setup:
I've got two routers, router1 is a 2821 using IOS 12.4(1a), router2 is a 1760 using IOS 12.3(somewhat).
router1 is our DMVPN hub.
router2 uses pppoe to establish an adsl connection to the internet, the internal lan of router2 is 10.128.0.0/24 and router2's internal ip address is 10.128.0.16.
The DMVPN tunnel uses 10.121.0.0/24 (so router1 is 10.121.0.1, router2 is 10.121.0.2) and users who connect to router1 using easyvpn and the cisco vpn client software get ips assigned starting at 10.121.0.5.
Now all crypto sessions are established, both routers use eigrp to announce their internal networks to each other and the eigrp tables look reasonable filled with routes.
When a easyvpn user connects (to router1) it can ping 10.128.0.16 (internal ip of router2) through the vpn but when I try to ping 10.128.0.17 (a server on router2's internal lan) I've struggled into problems.
According to tcpdump on the pinged server it receives echo requests from 10.121.0.5 and replies to them but these replies never arrive at the easyvpn client.
Which commands will be helpful to debug where the data get's lost? tcpdump for ios would be nice but I don't know of such a command.
Any suggestions regarding debugging this issue or maybe hints to solve this issue (maybe it's a common config error?) would be very nice.
Why is your DMVPN tunnel network using the same range of IPs as your Remote-Access users?
As for why your pings are being lost; is the default gateway of the 'server being pinged' 'router2'? If not, and it doesn't have a static route for the DMVPN tunnel/remote access network range, the machine has no idea where to send them!
The remote-access users use the same ip space because I didn't knew why to use another address space and having a single space for remote networks and users seemed reasonable to me at first, but I'll try to use separate address spaces on a second try soon.
Regarding the default route issue - I'm pretty sure I've set all routes correctly, i.e. on the pinged server I've set the route to the 10.121.0.0/24 network via 10.128.0.16 router2's internal address. I think the server wouldn't reply to pings anyway if it wouldn't know where to send the replies to.
Maybe I should setup a new test environment and try again.
I suppose it would work to use the same IP space, but it could get confusing. Especially if scaling the network at all, because what if (in your example) you were to get 5 spokes? Then you'd have DMVPN addresses boing .1 to .4 users on .5 to .n and then more DMVPN addresses on .n+1, etc. By seperating it, it gives you flexability to move things later on, without reconfiguring your network as much. And it's a real pain to bring down DMVPN sites to change their IP addresses, especially considering they're usually remote sites.
Well, if you have a defined route it should forward OK, just be sure that there aren't any ACLs blocking things too. If the machine doesn't have a specific route back to the pinging server, then it will simply forward the response to it's default gateway. Capturing traffic from the pingED machine will show it responding, even if it doesn't know how to get to it. If it's default gateway knows, it should send a redirect to the client machine, and forward the packet on to it's destination. Note that WindowsXP by default now ignores redirects, so you have to turn them back on in the firewall.
If you get it all setup again, let me know if you still end up having trouble. I know as long as the routes are set right on our network, and firewalls/ACLs are set properly, we can ping inside addresses of the DMVPN tunnel.
First of all, it worked, basically, but only for a short time and I don't know why it stopped working.
While it worked I was able to ping from a vpn client to a server on another site and vice versa and every other ping src/dst combination through the vpn worked, but some minutes later it stopped working and I don't know why.
Some details from router1:
r1#show ip eigrp topology
IP-EIGRP Topology Table for AS(65000)/ID(10.121.0.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.121.0.0/24, 1 successors, FD is 2816000
via Connected, Tunnel0
P 10.128.0.0/24, 1 successors, FD is 2841600
via 10.121.0.2 (2841600/281600), Tunnel0
--- You can see r1 knows 10.128.0.0/24 is behind 10.121.0.2 (that's r2)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.0.16, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms
--- 10.128.0.16 is r2's internal address.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.0.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
--- 10.128.0.1 is a server on r2 side, have a look at tcpdump on this server
Mostly those settings are required to allow the dynamic spoke-to-spoke tunnels to work with eigrp. Obviously you won't see that with only a single hub and spoke. There are other commands for other routing protocols like OSPF.
So CEF was the culprit though huh? I don't think i've disabled it on my routers, and they're working fine...of course it's probably on on all of them too.
I'm not all that well versed in it's operation, but it should make things faster in general. I don't have any idea why it would break it, unless for some reason being configured on only one router caused some sort of failure. But I didn't think CEF talked to other devices...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :