Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

DMVPN + Cisco VPN Client = trouble?

For a while three routers where connected through DMVPN hub-and-spoke tunnels.

On the central router split horizon was disabled to distribute routing information accross the tunnels to the remote site which is like the central site running EIGRP.

The central router is used as Cisco VPN Client server. Last wednesday I configured both spoke routers to accept client VPN connections. Since last sunday the tunnels stop transporting traffic. When viewing EIGRP neighbor table I see that the neighboring router stop responding. I am unable to ping the other end of the tunnel from hub-to-spoke and vice versa.

I guess it's the changes I've made on wednesday, but what prevents traffic to access the tunnel?

Router#sh ip nhrp detail via, Tunnel0 created 00:23:22, never expire

Type: static, Flags: authoritative

NBMA address:

Router#sh int tu0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Description: spoke-to-hub

Internet address is

MTU 1514 bytes, BW 8000 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source (Serial0/0/1), destination

Tunnel protocol/transport GRE/IP, key 0x8000, sequencing disabled

Tunnel TTL 255

Checksumming of packets disabled, fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "SDM_Profile1")

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 346

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

<Configuration snippet>

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp policy 20

hash md5

authentication pre-share

crypto isakmp key TunnelSecret address 66.x.x.1

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 5

crypto isakmp xauth timeout 10

crypto isakmp client configuration group Cisco

key CiscoVPNClient



domain network.local

pool SDM_POOL_1

acl ClientVPNRoute

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec profile SDM_Profile1

set transform-set 3DES-SHA

set pfs group2

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set 3DES-SHA


crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface Tunnel0

description spoke-to-hub

bandwidth 8000

ip address

ip mtu 1500

ip nhrp authentication DMVPN

ip nhrp map

ip nhrp map multicast

ip nhrp network-id 1

ip nhrp nhs

tunnel source Serial0/0/1

tunnel destination

tunnel key xxx

tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_1

ip access-list extended ClientVPNRoute

permit ip any

permit ip any

Any help would be appreciated.



Re: DMVPN + Cisco VPN Client = trouble?

If you have enabled XAUTH for the VPN clients and the site-to-site IPSec tunnel is also on that interface, then the site-to-site tunnel will try to have XAUTH and will fail. You need to disable XAUTH for the site-to-site tunnel.

CreatePlease to create content