Cisco Support Community
Community Member

DMVPN duplicate NBMA address



We've running into an issue where a DMVPN spoke is not setting up an NHRP session with the HUB.

The situation: our spoke router (R1) get its internet connection from an average DSL router. This router has a common subnet with DHCP on it. So our Spoke router gets from the DHCP server. Next it sets up ISAKMP and a NHRP session with the hub and all is working well.

Next up is the second spoke (R2). Different location but same DSL router with the same with DHCP on the inside. The spoke router connects to the LAN, gets, sets up an ISAKMP tunnel and next it wants to set up the NHRP session. Then we hit the following error:

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:7,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 UNKNOWN     NHRP    never    IX
     0 UNKNOWN     NHRP    never    IX
     1    UP    1d06h     D
     1    UP    2d22h     D

The session will not establish because the hub already has an association with a peer that has as its NBMA address. A workaround is to set a different fixed IP or use a different MAC to get another IP.

This is a different problem than the one that "ip nhrp registration no-unique" fixes. That happens when the same spoke connects to the hub but with a different IP address than before. In this case we have two spokes with identical NBMA addresses (allthough they are behind different public IP's).

Everyone's tags (1)
Cisco Employee

I may not be completely up to

I may not be completely up to date on this. But NHRP should make a differentiation based on NBMA address even if claimed IP address is the same (didn't test it). So a couple of questions: - What version on spoke/hub - Is transport mode configured and operational. - Show us "show ip nhrp" from hub.
Community Member

Did you ever find a

Did you ever find a resolution to this? I am having the same exact issue. 

Community Member

Yes! I did get a solution! I

Yes! I did get a solution! I talked to a TAC guy at Cisco Live and he explained that it's all about the IPSEC mode that you're using:

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
 mode transport

Setting the ipsec mode to transport will solve this issue. You'll only be seeing the public IP of a DMVPN hub and not the internal IP. Do note that you can now only have one hub per public IP since they cannot overlap.

CreatePlease to create content