Re: DMVPN Dual HUB Can't Connect

agussang · ‎03-18-2018

Hy All,

i get some probelm with my router. today i run dmvpn dual hub with cisco 4351 running ios XE Software, Version 03.16.04b.S - Extended Support Release

Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1) and this normally but i get probelm using spoke with router 1841 ios

Version 12.4(24)T5, RELEASE SOFTWARE (fc3). can someone help me, that's bug or dual hub dmvpn can't run on cisco router 1841 ???

This my topology and diagnostic.

This HUB use 4351

========================================================

4351-Hub#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel1, IPv4 NHRP Details

Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 192.168.1.100 172.77.1.11 UP 00:21:15 D

4351-Hub#sh crypto session

Crypto session current status

Interface: Tunnel1

Session status: UP-ACTIVE

Peer: 112.215.244.129 port 62136

Session ID: 0

IKEv1 SA: local 152.X.X.28/4500 remote 112.215.244.129/62136 Active

IPSEC FLOW: permit 47 host 202.X.X.28 host 192.168.1.100

Active SAs: 2, origin: crypto map

Interface: (unknown) <== may be this tunnel from 1841

Session status: DOWN-NEGOTIATING

Peer: 36.74.32.39 port 64916

Session ID: 0

IKEv1 SA: local 152.X.X.28/4500 remote 36.74.32.39/64916 Inactive

4351-Hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

152.X.X.28 112.215.244.129 QM_IDLE 1009 ACTIVE

152.X.X.28 36.74.32.39 QM_IDLE 1023 ACTIVE

152.X.X.28 36.74.32.39 MM_NO_STATE 1022 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Spoke 1841

=======================================================================

Spoke-1841#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 152.X.X.26 172.77.0.1 UP 00:38:21 S

Interface: Tunnel1, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 152.X.X.28 172.77.1.1 IKE never S

Spoke-1841#sh crypto session

Crypto session current status

Interface: Tunnel1

Session status: DOWN

Peer: 152.X.X.28 port 500

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28

Active SAs: 0, origin: crypto map

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 152.X.X.26 port 4500

IKE SA: local 172.88.3.3/4500 remote 152.X.X.26/4500 Active

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.26

Active SAs: 2, origin: crypto map

Interface: Tunnel0 <== why this tunnel0, i config ip 152.X.X.28 tunnel 1

Session status: UP-ACTIVE

Peer: 152.X.X.28 port 4500

IKE SA: local 172.88.3.3/4500 remote 152.X.X.28/4500 Active

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28

Active SAs: 2, origin: crypto map

Spoke-1841#sh run | sec interface Tunnel0

interface Tunnel0

description R2 mGRE - DMVPN Tunnel

ip address 172.77.0.2 255.255.255.0

no ip redirects

ip nhrp authentication DMVPN2

ip nhrp map multicast dynamic

ip nhrp map 172.77.0.1 152.X.X.26

ip nhrp map multicast 152.X.X.26

ip nhrp network-id 1

ip nhrp nhs 172.77.0.1

tunnel source FastEthernet0/1/0

tunnel mode gre multipoint

tunnel protection ipsec profile protect-gre

Spoke-1841#sh run | sec interface Tunnel1

interface Tunnel1

ip address 172.77.1.78 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN1

ip nhrp map multicast 152.X.X.28

ip nhrp map 172.77.1.1 152.X.X.28

ip nhrp network-id 100

ip nhrp holdtime 300

ip nhrp nhs 172.77.1.1

ip tcp adjust-mss 1360

tunnel source FastEthernet0/1/0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile protec-gus

Spoke-1841#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

152.X.X.26 172.88.3.3 QM_IDLE 1003 ACTIVE

IPv6 Crypto ISAKMP SA

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ROuter 4351-Spoke ( Run Normally with no probelm, configuration same 1841 )

================================================================

4351-SPoke#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 152.X.X.26 172.77.0.1 UP 00:34:58 S

Interface: Tunnel1, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 152.X.X.28 172.77.1.1 UP 00:35:39 S

4351-SPoke#sh crypto session

Crypto session current status

Interface: Tunnel1

Session status: UP-ACTIVE

Peer: 202.152.49.28 port 4500

Session ID: 0

IKEv1 SA: local 192.168.1.100/4500 remote 152.X.X.28/4500 Active

IPSEC FLOW: permit 47 host 192.168.1.100 host 152X.X.28

Active SAs: 2, origin: crypto map

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 152.X.X.26 port 4500

Session ID: 0

IKEv1 SA: local 192.168.1.100/4500 remote 152.X.X.26/4500 Active

IPSEC FLOW: permit 47 host 192.168.1.100 host 152.X.X.26

Active SAs: 2, origin: crypto map

4351-SPoke#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

152.X.X.28 192.168.1.100 QM_IDLE 1001 ACTIVE

152.X.X.26 192.168.1.100 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Mohammed al Baqari · ‎03-19-2018

What is your problem and share your config

agussang · ‎03-19-2018

This my probelm

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 152.X.X.26 port 4500

IKE SA: local 172.88.3.3/4500 remote 152.X.X.26/4500 Active

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.26

Active SAs: 2, origin: crypto map

Interface: Tunnel0 <== why this tunnel0, i'm configure with ip 152.X.X.28 tunnel 1

Session status: UP-ACTIVE

Peer: 152.X.X.28 port 4500

IKE SA: local 172.88.3.3/4500 remote 152.X.X.28/4500 Active

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28

Active SAs: 2, origin: crypto map

This my configuration

Spoke-1841#sh run | sec interface Tunnel0

interface Tunnel0

description R2 mGRE - DMVPN Tunnel

ip address 172.77.0.2 255.255.255.0

no ip redirects

ip nhrp authentication DMVPN2

ip nhrp map multicast dynamic

ip nhrp map 172.77.0.1 152.X.X.26

ip nhrp map multicast 152.X.X.26

ip nhrp network-id 1

ip nhrp nhs 172.77.0.1

tunnel source FastEthernet0/1/0

tunnel mode gre multipoint

tunnel protection ipsec profile protect-gre

Spoke-1841#sh run | sec interface Tunnel1

interface Tunnel1

ip address 172.77.1.78 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN1

ip nhrp map multicast 152.X.X.28

ip nhrp map 172.77.1.1 152.X.X.28

ip nhrp network-id 100

ip nhrp holdtime 300

ip nhrp nhs 172.77.1.1

ip tcp adjust-mss 1360

tunnel source FastEthernet0/1/0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile protec-gus

Note : My configuration run normally on router 4351-spoke

Mohammed al Baqari · ‎03-19-2018

You didn't explain the problem. What you are pointing to isn't a problem.
The source for both connections is tunnel0 which is 172.77.0.2

agussang · ‎03-19-2018

Yes 1841-spoke ip is 172.77.0.2 and hub-3825 172.77.0.1, and 1841-spoke tunnel 1 ip 172.77.1.78 and hub-4351 172.77.1.1

ip peer destination hub-4351 = 152.X.X.28

ip peer destination hub-3825 = 152.X.X.26

Spoke-1841#sh crypto session

Crypto session current status

Interface: Tunnel1

Session status: DOWN

Peer: 152.X.X.28 port 500

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28

Active SAs: 0, origin: crypto map

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 152.X.X.26 port 4500

IKE SA: local 172.88.3.3/4500 remote 152.X.X.26/4500 Active

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.26

Active SAs: 2, origin: crypto map

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 152.X.X.28 port 4500

IKE SA: local 172.88.3.3/4500 remote 152.X.X.28/4500 Active

IPSEC FLOW: permit 47 host 172.88.3.3 host 152.X.X.28

Active SAs: 2, origin: crypto map

so, why this router create crypto session two tunnel0 with different ip peer destination?

btw u know what case we discussion ?

agussang · ‎03-25-2018

Up up Up

Sundul gan