Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange status of DMVPN HUB

Hi all,

I have 2 DMVPN HUBs and 20 spokes and on one of these have strange status of DMVPN - NHRP (what does it mean? i didn't find explanation what that status is bad or good, is it mean that spoke could'n get NBMA address of HUB through NHRP?). Could anyone explain what does it mean?

#show dmvpn

Interface: Tunnel4, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

 

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1        7.#.#.3        10.5.5.1    UP    1d18h     S

     1        7.#.#.4        10.5.5.2  NHRP    1d18h     S

 

Spoke's configuration.

interface Tunnel4

 bandwidth 15000

 ip address 10.5.5.20 255.255.255.0

 no ip redirects

 ip mtu 1416

 ip nhrp map multicast dynamic

 ip nhrp map multicast 7.#.#.3

 ip nhrp map multicast 7.#.#.4

 ip nhrp map 10.5.5.1 7.#.#.3

 ip nhrp map 10.5.5.2 7.#.#.4

 ip nhrp network-id 101

 ip nhrp nhs 10.5.5.1

 ip nhrp nhs 10.5.5.2

 zone-member security outside

 ip tcp adjust-mss 1380

 delay 100

 keepalive 10 3

 tunnel source GigabitEthernet0/2

 tunnel mode gre multipoint

 tunnel key 111000

 tunnel protection ipsec profile dmvpn

  • VPN
7 REPLIES
Cisco Employee

http://www.cisco.com/c/en/us

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s4.html#wp2815505246

Typically this spoke does not receive NHRP registration reply from hub. 

"show ip nhrp nhs" will show this particular aspect better. 

 

New Member

Marcin,thank you for so quick

Marcin,

thank you for so quick reply,

#sho ip nhrp nhs 
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel4:
10.5.5.1  RE priority = 0 cluster = 0
10.5.5.2   E priority = 0 cluster = 0

So... it means that SECOND HUB could not reach tunnel ip address of spoke?

Cisco Employee

It means that the NHRP

It means that the NHRP registration did not make it from spoke to hub or the registration reply didn't make it from hub to spoke. 

Check what that hub is seeing. Since hub is using dynamic NHRP once it sees the registration request it installs a NHRP entry ("show ip nhrp" and look for spoke's IP). 

If it (hub) does see it it's typically a case of NHRP reg. reply being misrouted. 

If it doesn't see it, then you'd need to check what's going on with those NHRPs. 

In both cases NHRP debugging might be the best way. 

New Member

Marcin,thank you again for

Marcin,

thank you again for quick reply)

It very strange because i follow yours tshooting steps and what i got bellow:

1.Spoke can ping NBMA address of two HUBs

2. Every HUB can reach NBMA address of spoke

3. I switch on debuging on spoke and HUBs and I see request packet of NHRP to every HUBs

Debug on spoke:

000332: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.1
000333: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.1 to NBMA 7.#.#.3
000334: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.#.#.3
000335: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000336: May 23 10:47:53.408 MSK:       src: 10.5.5.20, dst: 10.5.5.1
000337: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4 
000338: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.1
000339: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2
000340: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
000341: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.#.#.4
000342: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000343: May 23 10:47:53.408 MSK:       src: 10.5.5.20, dst: 10.5.5.2
000344: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4 
000345: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.2
000346: May 23 10:47:53.412 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4, changed state to up
000347: May 23 10:47:53.412 MSK: NHRP: Receive Registration Reply via Tunnel4 vrf 0, packet size: 112
000348: May 23 10:47:53.412 MSK: NHRP: netid_in = 0, to_us = 1
000349: May 23 10:47:53.412 MSK: NHRP: NHS 10.5.5.1 Tunnel4 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E' 

000350: May 23 10:47:53.412 MSK: NHRP: NHS-UP: 10.5.5.1
000351: May 23 10:47:54.920 MSK: NHRP: Setting retrans delay to 4 for nhs  dst 10.5.5.2
000352: May 23 10:47:54.920 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2 sad
000353: May 23 10:47:54.920 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
000354: May 23 10:47:54.920 MSK: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.#.#.4
000355: May 23 10:47:54.920 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000356: May 23 10:47:54.920 MSK:       src: 10.5.5.20, dst: 10.5.5.2

and i don't see any logs related of this spoke on second HUB!

So... NHRP packet loss on the way to second HUB,but i can't guess about reason why is happend

Cisco Employee

0) Remove tunnel keepalives

0) Remove tunnel keepalives from multipoint tunnels. Not the cause of your problem, but it's not needed or supported with tunnel protection. 

1) Check your IPsec SAs. Are they are, are encaps increasing are decaps increasing? 2) Are the stable or flapping (enable "crypto logging session").

3) Influences of features? Maybe something with firewall?

 

A couple of things I would check. 

New Member

Marcin,i've solved a problem

Marcin,

i've solved a problem!

On spoke and second HUB router was old GRE over IPSec tunnel, i shutdown tunnel and want to replaced it on DMVPN.

I switch on debug crypto ipsec sa and that error i can see:

IPSEC(ipsec_process_proposal): invalid local address x.x.x.x 

And... i just delete old GRE over IPSec tunnel interface, which contain tunnel mode ipsec ipv4 and DMPVN state change to UP!

#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/0         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/1         172.17.0.7      YES NVRAM  up                    up      
GigabitEthernet0/2         #.#.#.#  YES NVRAM  up                    up      
Tunnel4                    10.5.5.20       YES NVRAM  up                    up      
Tunnel254(old IPSec)       10.1.1.149      YES NVRAM  administratively down down

after deleting tun 254 - dmvpn is UP!)

Thank you for your attention!!

Cisco Employee

Cool :-)

Cool :-)

That's one of couple or reasons this could have been caused by. 

655
Views
5
Helpful
7
Replies