03-18-2018 08:42 PM - edited 03-12-2019 05:07 AM
Hy All,
i get some probelm with my router. today i run dmvpn dual hub with cisco 4351 running ios XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1) and this normally but i get probelm using spoke with router 1841 ios
Version 12.4(24)T5, RELEASE SOFTWARE (fc3). can someone help me, that's bug or dual hub dmvpn can't run on cisco router 1841 ???
This my topology and diagnostic.
This HUB use 4351
========================================================
4351-Hub#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.100 172.77.1.11 UP 00:21:15 D
4351-Hub#sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 112.215.244.129 port 62136
Session ID: 0
IKEv1 SA: local 152.X.X.28/4500 remote 112.215.244.129/62136 Active
IPSEC FLOW: permit 47 host 202.X.X.28 host 192.168.1.100
Active SAs: 2, origin: crypto map
Interface: (unknown) <== may be this tunnel from 1841
Session status: DOWN-NEGOTIATING
Peer: 36.74.32.39 port 64916
Session ID: 0
IKEv1 SA: local 152.X.X.28/4500 remote 36.74.32.39/64916 Inactive
4351-Hub#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
152.X.X.28 112.215.244.129 QM_IDLE 1009 ACTIVE
152.X.X.28 36.74.32.39 QM_IDLE 1023 ACTIVE
152.X.X.28 36.74.32.39 MM_NO_STATE 1022 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Spoke 1841
=======================================================================
Spoke-1841#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 152.X.X.26 172.77.0.1 UP 00:38:21 S
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 152.X.X.28 172.77.1.1 IKE never S
Spoke-1841#sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: DOWN
Peer: 152.X.X.28 port 500
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28
Active SAs: 0, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 152.X.X.26 port 4500
IKE SA: local 172.88.3.3/4500 remote 152.X.X.26/4500 Active
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.26
Active SAs: 2, origin: crypto map
Interface: Tunnel0 <== why this tunnel0, i config ip 152.X.X.28 tunnel 1
Session status: UP-ACTIVE
Peer: 152.X.X.28 port 4500
IKE SA: local 172.88.3.3/4500 remote 152.X.X.28/4500 Active
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28
Active SAs: 2, origin: crypto map
Spoke-1841#sh run | sec interface Tunnel0
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 172.77.0.2 255.255.255.0
no ip redirects
ip nhrp authentication DMVPN2
ip nhrp map multicast dynamic
ip nhrp map 172.77.0.1 152.X.X.26
ip nhrp map multicast 152.X.X.26
ip nhrp network-id 1
ip nhrp nhs 172.77.0.1
tunnel source FastEthernet0/1/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
Spoke-1841#sh run | sec interface Tunnel1
interface Tunnel1
ip address 172.77.1.78 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN1
ip nhrp map multicast 152.X.X.28
ip nhrp map 172.77.1.1 152.X.X.28
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 172.77.1.1
ip tcp adjust-mss 1360
tunnel source FastEthernet0/1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile protec-gus
Spoke-1841#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
152.X.X.26 172.88.3.3 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ROuter 4351-Spoke ( Run Normally with no probelm, configuration same 1841 )
================================================================
4351-SPoke#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 152.X.X.26 172.77.0.1 UP 00:34:58 S
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 152.X.X.28 172.77.1.1 UP 00:35:39 S
4351-SPoke#sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 202.152.49.28 port 4500
Session ID: 0
IKEv1 SA: local 192.168.1.100/4500 remote 152.X.X.28/4500 Active
IPSEC FLOW: permit 47 host 192.168.1.100 host 152X.X.28
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 152.X.X.26 port 4500
Session ID: 0
IKEv1 SA: local 192.168.1.100/4500 remote 152.X.X.26/4500 Active
IPSEC FLOW: permit 47 host 192.168.1.100 host 152.X.X.26
Active SAs: 2, origin: crypto map
4351-SPoke#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
152.X.X.28 192.168.1.100 QM_IDLE 1001 ACTIVE
152.X.X.26 192.168.1.100 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
+++++++++++++++++++++++++++++++++++++++++++++++++++++
03-19-2018 02:20 AM
03-19-2018 03:06 AM
This my probelm
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 152.X.X.26 port 4500
IKE SA: local 172.88.3.3/4500 remote 152.X.X.26/4500 Active
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.26
Active SAs: 2, origin: crypto map
Interface: Tunnel0 <== why this tunnel0, i'm configure with ip 152.X.X.28 tunnel 1
Session status: UP-ACTIVE
Peer: 152.X.X.28 port 4500
IKE SA: local 172.88.3.3/4500 remote 152.X.X.28/4500 Active
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28
Active SAs: 2, origin: crypto map
This my configuration
Spoke-1841#sh run | sec interface Tunnel0
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 172.77.0.2 255.255.255.0
no ip redirects
ip nhrp authentication DMVPN2
ip nhrp map multicast dynamic
ip nhrp map 172.77.0.1 152.X.X.26
ip nhrp map multicast 152.X.X.26
ip nhrp network-id 1
ip nhrp nhs 172.77.0.1
tunnel source FastEthernet0/1/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
Spoke-1841#sh run | sec interface Tunnel1
interface Tunnel1
ip address 172.77.1.78 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN1
ip nhrp map multicast 152.X.X.28
ip nhrp map 172.77.1.1 152.X.X.28
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 172.77.1.1
ip tcp adjust-mss 1360
tunnel source FastEthernet0/1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile protec-gus
Note : My configuration run normally on router 4351-spoke
03-19-2018 04:27 AM
03-19-2018 08:18 PM
Yes 1841-spoke ip is 172.77.0.2 and hub-3825 172.77.0.1, and 1841-spoke tunnel 1 ip 172.77.1.78 and hub-4351 172.77.1.1
ip peer destination hub-4351 = 152.X.X.28
ip peer destination hub-3825 = 152.X.X.26
Spoke-1841#sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: DOWN
Peer: 152.X.X.28 port 500
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28
Active SAs: 0, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 152.X.X.26 port 4500
IKE SA: local 172.88.3.3/4500 remote 152.X.X.26/4500 Active
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.26
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 152.X.X.28 port 4500
IKE SA: local 172.88.3.3/4500 remote 152.X.X.28/4500 Active
IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28
Active SAs: 2, origin: crypto map
so, why this router create crypto session two tunnel0 with different ip peer destination?
btw u know what case we discussion ?
03-25-2018 11:48 PM
Up up Up
Sundul gan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide