We've running into an issue where a DMVPN spoke is not setting up an NHRP session with the HUB.
The situation: our spoke router (R1) get its internet connection from an average DSL router. This router has a common 192.168.1.0/24 subnet with DHCP on it. So our Spoke router gets 192.168.1.2 from the DHCP server. Next it sets up ISAKMP and a NHRP session with the hub and all is working well.
Next up is the second spoke (R2). Different location but same DSL router with the same 192.168.1.0/24 with DHCP on the inside. The spoke router connects to the LAN, gets 192.168.1.2, sets up an ISAKMP tunnel and next it wants to set up the NHRP session. Then we hit the following error:
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 2 UNKNOWN 10.255.11.2 NHRP never IX 0 UNKNOWN 10.255.11.7 NHRP never IX 1 192.168.1.2 10.255.11.4 UP 1d06h D 1 192.168.2.100 10.255.11.5 UP 2d22h D
The session will not establish because the hub already has an association with a peer that has 192.168.1.2 as its NBMA address. A workaround is to set a different fixed IP or use a different MAC to get another IP.
This is a different problem than the one that "ip nhrp registration no-unique" fixes. That happens when the same spoke connects to the hub but with a different IP address than before. In this case we have two spokes with identical NBMA addresses (allthough they are behind different public IP's).
I may not be completely up to date on this. But NHRP should make a differentiation based on NBMA address even if claimed IP address is the same (didn't test it).
So a couple of questions:
- What version on spoke/hub
- Is transport mode configured and operational.
- Show us "show ip nhrp" from hub.
Yes! I did get a solution! I talked to a TAC guy at Cisco Live and he explained that it's all about the IPSEC mode that you're using:
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
Setting the ipsec mode to transport will solve this issue. You'll only be seeing the public IP of a DMVPN hub and not the internal IP. Do note that you can now only have one hub per public IP since they cannot overlap.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...