11-29-2005 12:16 PM - edited 02-21-2020 02:07 PM
For a while three routers where connected through DMVPN hub-and-spoke tunnels.
On the central router split horizon was disabled to distribute routing information accross the tunnels to the remote site which is like the central site running EIGRP.
The central router is used as Cisco VPN Client server. Last wednesday I configured both spoke routers to accept client VPN connections. Since last sunday the tunnels stop transporting traffic. When viewing EIGRP neighbor table I see that the neighboring router stop responding. I am unable to ping the other end of the tunnel from hub-to-spoke and vice versa.
I guess it's the changes I've made on wednesday, but what prevents traffic to access the tunnel?
Router#sh ip nhrp detail
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 00:23:22, never expire
Type: static, Flags: authoritative
NBMA address: 66.55.44.1
Router#sh int tu0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: spoke-to-hub
Internet address is 192.168.0.2/24
MTU 1514 bytes, BW 8000 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 88.77.66.1 (Serial0/0/1), destination 66.55.44.1
Tunnel protocol/transport GRE/IP, key 0x8000, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "SDM_Profile1")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 346
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
<Configuration snippet>
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key TunnelSecret address 66.x.x.1
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp xauth timeout 10
crypto isakmp client configuration group Cisco
key CiscoVPNClient
dns 172.16.0.1
wins 172.16.0.1
domain network.local
pool SDM_POOL_1
acl ClientVPNRoute
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set 3DES-SHA
set pfs group2
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set 3DES-SHA
reverse-route
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface Tunnel0
description spoke-to-hub
bandwidth 8000
ip address 192.168.0.2 255.255.255.0
ip mtu 1500
ip nhrp authentication DMVPN
ip nhrp map 192.168.192.1 66.55.44.1
ip nhrp map multicast 66.55.44.1
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source Serial0/0/1
tunnel destination 66.55.44.1
tunnel key xxx
tunnel protection ipsec profile SDM_Profile1
ip local pool SDM_POOL_1 172.16.0.128 172.16.0.191
ip access-list extended ClientVPNRoute
permit ip 172.16.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
Any help would be appreciated.
TIA
12-05-2005 11:25 AM
If you have enabled XAUTH for the VPN clients and the site-to-site IPSec tunnel is also on that interface, then the site-to-site tunnel will try to have XAUTH and will fail. You need to disable XAUTH for the site-to-site tunnel.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: