cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2763
Views
0
Helpful
13
Replies

DMVPN Problem !!!

Omid Almasieh
Level 1
Level 1

Hello experts ,

Our client has 40 branch offices with cisco 1841 routers connected to head office(HUB) with two Cisco 3845 routers ,every branch has two different connection to the hub ,one connection through fiber optic the other through point to multipoint E1 leased lines ,one of the hub routers connected to leased lines with E1s the other connected with fiber optic ,we use DMVPN on fiber backbone with ipsec ,for redundancy we use OSPF protocol ,bellow you can see DMVPN configurations  ,but the problem is that after the configuration everything goes well but after passing one day or less suddenly everything (traffic) on tunnel interfaces would be disconnected ,after removing tunnel 1 interfaces and again configure it with the same configuration as before everything works well again just for 1 day,I also disconnect 38 branches from fiber optic but the problem still exists,do you have any idea \\about the situation ?I'm thinking about migrating to point to point tunnel interfaces !!!

HUB

crypto isakmp policy 1

encr aes

authentication pre-share

crypto isakmp key ****address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 20 3

!

!

crypto ipsec transform-set trans2 esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpnprofile

set transform-settrans2

interface Tunnel1
description connection to spokes
  bandwidth 10000
  ip address 172.31.8.1 255.255.255.0
no ip redirects
  ip mtu 1436
ip nhrp authentication *****
  ip nhrp map multicast dynamic
ip nhrp network-id 100000
  ip ospf network broadcast
ip ospf priority 2
  delay 1000
  tunnel source 172.31.0.1
tunnel mode gre multipoint
  tunnel key 100000
tunnel protection ipsec profile dmvpnprofile
!
interface Loopback0
  ip address 172.31.12.2 255.255.255.255
!
interface GigabitEthernet0/0
description lan connected
  ip address 172.30.0.2 255.255.255.240
  duplex auto
  speed auto
  media-type rj45
!
interface GigabitEthernet0/1
  description Fiber Optic Backbone
  ip address 172.16.253.10 255.255.255.0 secondary
  ip address 172.31.0.1 255.255.255.0 secondary
  ip address 172.20.26.1 255.255.0.0
  duplex half
  speed auto
  media-type rj45
no cdp enable
!
router ospf 10
log-adjacency-changes
redistribute connected subnets
redistribute static metric-type 1 subnets
  network 172.30.0.0 0.0.0.15 area 0
  network 172.31.8.0 0.0.0.255 area 0
  network 172.31.12.2 0.0.0.0 area 0
  default-information originate
!
router rip
  version 2
  network 172.20.0.0
  network 192.168.1.0
  network 192.168.25.0
  network 192.168.30.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.254.1

.

.

.

Spokes sample configuration

crypto isakmp policy 1
encr aes
  authentication pre-share
crypto isakmp key ***** address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
  mode transport
!
crypto ipsec profile dmvpnprofile
  set transform-set trans2
!
!
!
!
interface Loopback0
  ip address 172.31.12.29 255.255.255.255
!
interface Tunnel1
  description connection to hub
  bandwidth 10000
  ip address 172.31.8.29 255.255.255.0
no ip redirects
  ip mtu 1436
ip nhrp authentication *****
  ip nhrp map multicast 172.31.0.1
ip nhrp map 172.31.8.1 172.31.0.1
  ip nhrp network-id 100000
ip nhrp nhs 172.31.8.1
  ip ospf network broadcast
ip ospf priority 0
  delay 1000
  tunnel source FastEthernet0/1
tunnel mode gre multipoint
  tunnel key 100000
tunnel protection ipsec profile dmvpnprofile
!
interface FastEthernet0/0
  ip address 192.168.36.5 255.255.255.0
  duplex auto
  speed auto
!
interface FastEthernet0/1
Description fiber optic interface

ip address 172.31.0.29 255.255.255.0
  duplex auto
  speed auto
!
interface Serial0/0/0
  ip address 172.31.4.70 255.255.255.252
encapsulation ppp
  load-interval 30
  no fair-queue

.

.

.

router ospf 10
log-adjacency-changes
  network 172.31.4.70 0.0.0.0 area 0
  network 172.31.8.0 0.0.0.255 area 0
  network 172.31.12.29 0.0.0.0 area 0
  network 192.168.36.0 0.0.0.255 area 2

13 Replies 13

Jitendriya Athavale
Cisco Employee
Cisco Employee

just wanted to know as to why you are using the secondary ip as tunnel source, why not the

primary physical interface ip

can you try using the 172.20.26.1 on the hub for tunnel source

Becuase they have some other connections on fiber backbon ,and I design 172.31.28.0 subnet for tunnels ,also try this configuration on lab routers ,i mean with secondary ip addresses there was no problem!

can you collect some debugs when the dmvpn stops working, collect it on spoke and hub and use

also when this happens again try clear the tunnels instead of removing tunnel config and putting it back, you can also try shut and no shut on tunnel interface

Hi,

I must remove the tunnel and configure it again,shut and no shut had no effect at all i'v also used clear crypto session and clear ip nhrp commands but they had no effect ,for debugging purpose i dont know exactly when the tunnel would be stop work to issu debug commands,any idea ?

do you see any pattern as to approx what time the tunnel goes down

also collect the debugs before you wipe the tunnel config and put it back, that should be good enough as it will tell whts happening

hi jathaval ,

As our clients complained about their link  inefficiency and lack of bandwidth, i had to change tunnel types to   point to piont GRE + IPsec tunnels ,and I removed NHRP configuration   completely ,until now (3 days past)they don't have any problems ,have u   ever seen this kind of problems with DMVPNs ?does scale matters to    DMVPN tunnels?

Tnx

Hi,

even with point to point GRE + IPSec tunnels again we got the exact  same problem,on spokes OSPF couldn't make adjacencies,they stuck in INIT  state ,but when I remove tunnel protection ipsec profile dmvpnprofile  from tunnels and shut them down and back them all everything worked  good,on spokes !!!is there anything relates to IPSec ?what debugging  commands do u suggest ?

try the following

debug crypto isakmp

debug crypto ipsec

debug crypto socket

Hi Jathaval ,


in attachment i did dubug commands that u said and capture the results

FredxMichaud
Level 1
Level 1

Try changing your MTU to 1400 and use the  ip tcp adjust-mss 1360 both on the tunnel interface, we had a similar problem in the past.  Then, if your packet can't get fragmented, just clear the DF-bit.  Don't you need a tunnel destination as well?  I'm pretty sure your multicast statement in the tunnel takes care of that, but try the tunnel destination instead.

Also, you might want your site to be considered stub by your routing protocol.

Hi Fred ,

I did your suggestions but the problem still exist ...

Tnx

Deepak Khemani
Level 1
Level 1

Hi

I would like you to check following things on your Hub and Spoke

  1. IOS Version on routers. Use Cisco feature Navigator to check if the IOS are compatible with each other for DMVPN configuration. If you could post the output of show version on hub and scope.
  2. Apply following command on both Hub and spoke no crypto isakmp nat-traversal.

I would also suggest to terminate half of your Point to Point lines to one router and rest on second. And same way configure your Point to Multipoint links. This will give you resiliency in event if one of the box's fail completly.

Cheers

Deepak Khemani

Hi guys ,

The problem was solved by  upgrading the IOS version to c3845-adventerprisek9-mz.124-17.bin ,I think it was kind of bug or something in IOS version 123-11.T2

Thanks anyway ,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: