Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN tunnel not establishing - NHRP incorrect address

I am trying to establish a DMVPN tunnel from a new router that we setup in a remote location. We already have a hub and several other remote locations that work correctly. I can ping across to another remote site, but I do not see the correct address show up when I do a "show dmvpn." The SA also does not appear when I do a "show crypto isakmp sa."

UARouter#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1 63.162.52.254        172.19.1.1    UP    1d10h     S

I then do a ping to a remote machine.

UARouter#ping 192.168.2.40 source loopback 5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.40, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 352/353/356 ms

UARouter#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     2 63.162.52.254        172.19.1.1    UP    1d10h     S

                                    172.19.1.2    UP 00:00:32     D

It does not seem to resolve to the actual peer NBMA address 203.98.212.254, but instead resolved back to the hub.

UARouter#show ip nh

UARouter#show ip nhrp bri

   Target             Via            NBMA           Mode   Intfc   Claimed

172.19.1.1/32        172.19.1.1      63.162.52.254   static   Tu0     <   >

172.19.1.2/32        172.19.1.2      63.162.52.254   dynamic  Tu0     <   >

UARouter#show cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

63.162.52.254   109.237.82.114  QM_IDLE           1003 ACTIVE

Here is the result from a different router that works.

TaiwanRTR#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:8,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1   63.162.52.254      172.19.1.1    UP     1w4d     S

     1  203.98.212.254      172.19.1.2    UP     1w4d     D

<some entries removed>

TaiwanRTR#show ip nhrp bri

   Target             Via            NBMA           Mode   Intfc   Claimed

172.19.1.1/32        172.19.1.1      63.162.52.254   static   Tu0     <   >

172.19.1.2/32        172.19.1.2      203.98.212.254  dynamic  Tu0     <   >

Here are the DMVPN configs. They are the same except for the ip address and the fact that I can't use the no ip mroute-cache command due to it being deprecated on the new router since we are using a newer IOS. I also use the interface directly instead of a loopback. The loopback on the TawainRTR is a public IP.

UA Router

interface Tunnel0

bandwidth 1000

ip address 172.19.1.12 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication <removed>

ip nhrp map 172.19.1.1 63.162.52.254

ip nhrp map multicast 63.162.52.254

ip nhrp network-id 1000000

ip nhrp holdtime 600

ip nhrp nhs 172.19.1.1

ip tcp adjust-mss 1360

delay 1000

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN shared

TaiwanRTR

interface Tunnel0

bandwidth 1000

ip address 172.19.1.6 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication <removed>

ip nhrp map 172.19.1.1 63.162.52.254

ip nhrp map multicast 63.162.52.254

ip nhrp network-id 1000000

ip nhrp holdtime 600

ip nhrp nhs 172.19.1.1

ip tcp adjust-mss 1360

no ip mroute-cache

delay 1000

tunnel source Loopback2

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN shared

end

On both devices we use the same crypto map settings. We use certificates instead of pre-shared keys.

crypto isakmp policy 1

encr 3des

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set myset

Does anyone have any ideas what might be going on?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

DMVPN tunnel not establishing - NHRP incorrect address

Here's the ACL from my DMVPN router...

10 permit esp any any (22214502 matches)

20 permit udp any any eq isakmp (375 matches)

30 permit udp any any eq non500-isakmp

40 permit icmp any any (40005 matches)

Works 100% for me.

I will note, my line 20 used to be "permit udp any eq isakmp any eq isakmp" but I found when my routers were behind NATing devices the source wouldn't be 500 and things didn't work so I had to open it up.

2 REPLIES
New Member

DMVPN tunnel not establishing - NHRP incorrect address

I was able to establish the connection when I opened the inbound ACL on the TawianRTR wide open. We currently allow isakmp, esp, and gre between the two routers, which I thought would be enough to establish a connection, since the other routers use the same and they are able to connect.

What else needs to be allowed on the ACL?

New Member

DMVPN tunnel not establishing - NHRP incorrect address

Here's the ACL from my DMVPN router...

10 permit esp any any (22214502 matches)

20 permit udp any any eq isakmp (375 matches)

30 permit udp any any eq non500-isakmp

40 permit icmp any any (40005 matches)

Works 100% for me.

I will note, my line 20 used to be "permit udp any eq isakmp any eq isakmp" but I found when my routers were behind NATing devices the source wouldn't be 500 and things didn't work so I had to open it up.

1437
Views
0
Helpful
2
Replies
CreatePlease to create content