Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
dm
New Member

flexvpn, hub-spoke, NHRP: Unable to send Registration - no NHSes configured

Hello!

I'm trying to create flexvpn hub-spoke in test enviroment.

 

Here is my hub config:

 

 

Jul 24 09:02:13.431: NHRP: Unable to send Registration - no NHSes configured

crypto ikev2 authorization policy default
 pool flex-pool
 route set interface
!
!
!
crypto ikev2 keyring ikev2-kr
 peer spoke
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !

crypto ikev2 profile default
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-kr
 aaa authorization group psk list default default
 virtual-template 1
!

interface Loopback0
 ip address 172.16.1.1 255.255.255.255


 

interface GigabitEthernet1.9
 encapsulation dot1Q 9
 ip address 192.168.42.150 255.255.255.0
!


 

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel protection ipsec profile default
!
!

ip local pool flex-pool 172.16.0.1 172.16.0.254

 

Spoke config:

 

crypto ikev2 keyring ikev2-kr
 peer spoke
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!

 

crypto ikev2 profile default
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-kr
 aaa authorization group psk list default default
 virtual-template 1
!

interface Loopback0
 ip address 172.16.1.2 255.255.255.255
!
interface Tunnel0
 ip address negotiated
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel source GigabitEthernet1.9
 tunnel destination 192.168.42.150
 tunnel protection ipsec profile default

interface GigabitEthernet1.9
 encapsulation dot1Q 9
 ip address 192.168.42.151 255.255.255.0

interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel protection ipsec profile default
!

 

 

IKE works:

 

spoke#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.42.151/500    192.168.42.150/500    none/none            READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2238 sec

 IPv6 Crypto IKEv2  SA

 

 

but not NHRP, I got on spoke:

Jul 24 09:02:13.431: NHRP: Unable to send Registration - no NHSes configured

 

 

But I don't see in any examples that NHS should be configured in FlexVPN.

 

Could you tell me what is wrong in my config?

 

Thank you!

 

15 REPLIES

Hi,

Hi,

 

I believe that's the default behaviour.... we do not need to worry about that... if you get that in hub....

Excerpt from Cisco Document:

These first few debug messages are generated by a no shutdown command entered on the tunnel interface. Messages are generated by crypto, GRE, and NHRP services being initiated.

An NHRP registration error is seen on hub because it does not have a Next Hop Server (NHS) configured (the hub is the NHS for our DMVPN cloud). This is expected.

 

In your case you are getting it on spoke....

 

so you have to configure NHS on Spoke:

interface Tunnel0

ip nhrp nhs <hub ip>

!

 

Regards

Karthik

 

 

 

dm
New Member

Hello! I have this on spoke

Hello!

 

I have this on spoke.

There is no such parameter in any flexvpn examples  I have seen before.

Could you tell me which hub's address suits best as NHS?

 

Thank you!

Hi, Hmmm... actually this

Hi,

 

Hmmm... actually this kind of parameters comes in a dmvpn scenario's.

In a normal case we give the tunnel ip address of hub.....

 

Regards

Karthik

dm
New Member

Yes, this is why I'm asking.I

Yes, this is why I'm asking.

I don't know how it should work in FlexVPN, i.e. how spoke should learn NHS address if it is not specified.

And there is no address on hub's tunnel interface- it is unnumbered.

Should I use Loopback0 address?

Thank you!
 

Hi, As you said in flex vpn

Hi,

 

As you said in flex vpn we do not need to mention nhs address in the configurations....

But i am not sure why it is giving such errors.... let me go through once again and let you know with my findings.

Regards

Karthik

dm
New Member

Thank you! May be there is

Thank you!

 

May be there is manual explaining how spoke learn NHS address in FlexVPN?

dm
New Member

Well, I created test

Well, I created test environment with 1 hub and 2 spokes.

Although I have this error message on spokes , they use NHRP and create virtual-access interface between each other.

 

So this message is just harmless.

 

And there is obvious lack of documentation about how FlexVPN works..

 

 

Hi,    I'm also with that

Hi,

    I'm also with that question... Cisco documents not say to use nhs or map multicast address at flexvpn, but with the same examples from Cisco docs, I'm not able to make spoke to spoke establishment, they are not even trying to establish spoke to spoke tunnel.

    My config has the svti tunnel 0 to hubs and dvti configured waiting from another spokes, but the NHRP table does not have any entry...

    Did you make any progress in last the days?

 

Best regards,

 

Alexsandro Reimann.

dm
New Member

Hello! As I wrote before-

Hello!

 

As I wrote before- this message is harmless in FlexVPN VTI mode, i.e. with virtual-access.

It works differently than DMVPN in this aspect.

http://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/115726-flexvpn-hardmove-same-00.html

 

NHRP: In FlexVPN NHRP is primarily used to establish spoke to spoke communication. Spokes do not register to hub

 

 

So it just works in my tests :-)

Cisco Employee

Hello folks,  Thanks for

Hello folks, 

 

Thanks for plugging my docs. :-D

The behavior you're seing (and BTW this is not a VTI based config, but GRE) could be due to something stale. 

In the examples I have written up intially I was using "ip unnumbered" tunnel 0, however later examples are using more proper LAN interface on spoke side:

vide: 

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116528-config-flexvpn-00.html

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116678-configure-product-00.html

In FlexVPN with the config I used, instead of using NHRP like in DMVPN, the spoke and hub will send a route entry (a static /32) for tunnel interface. 

 

Try removing shortcut switching and the VT interface and re-adding it with proper unnumbered interfaces. 

Else upgrade to something newer. 

And if that doesn't help - open a TAC case. I don't think it's impacting but it would be curious to find out where it's coming from. 

M.

dm
New Member

> BTW this is not a VTI based

> BTW this is not a VTI based config, but GRE

 

Sorry, I'm completely newbiew in this area, so could you tell me what is VTI config then?

I'm interesting because my head-company colleagues always said "FlexVPN, more specific, DMVPN" , later I found they mean DMVPN with ikev2, but I already spent some time with this FlexVPN example, thought they mean this config ... so I'm just interesing in right  terminology :-)

 

Thank you!

 

Cisco Employee

VTI and GRE (o IPsec) are

VTI and GRE (o IPsec) are just two different encapsulation methods. 

You can recognize VTI config easily because it will use "tunnel mode ipsec ipv4|ipv6" on tunnel interfaces. 

We showcase typically GRE based configs since they are more flexible (mixing IPv6 and IPv4 or whatever you want). 

DM has been around for a longer time, you can mix it with IKEv1 or IKEv2 but it has certain limitations because of single multipoint interface. 

Flex is newer, allows more flexability but is tied to IKEv2. As a framework it's a successor to DM. 

dm
New Member

Thank you!Now I know more

Thank you!

Now I know more than my head-company colleagues ;-)

 

Marcin,         Just be

Marcin,

 

        Just be careful about the 'tunnel mode ipsec ipv4' interface command. Im my case, with FlexVPN topology, that was causing NHRP to not work across Spokes, so spoke-to-spoke tunnel was not happening. 

        To make spoke-to-spoke connection, using NHRP into FlexVPN, there is a need to DVTI and SVTI to be configured as 'tunnel mode gre ip' or you will not see NHRP traffic.

 

HTH,

Alexsandro Reimann.

Cisco Employee

Alexsandro, I do not think we

Alexsandro, 

I do not think we have any docs showing direct spoke to spoke with "tunnel model ipsec ipvX". 

Obviously NHRP will not work over VTI since it's a L2 protocol and VTI implies L3 (IPv4 or IPv6). 

Also tunnel mode gre X implies this is NOT VTI config. 

M.

 

882
Views
5
Helpful
15
Replies
CreatePlease to create content