Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMVPN dua HUB issue, one tunnel doesnt work

Hi all,

I have an issue with a Dual DMVPN scenario.

I have 2 Hubs and multiples spokes, each spoke has 2 tunnels one to each HUB.

I am having issues with a spoke but only with one tunnel:

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  up                    down

FastEthernet2              unassigned      YES unset  up                    down

FastEthernet3              unassigned      YES unset  up                    down

FastEthernet4            80.188.29.210  YES NVRAM  up                    up

Tunnel1                    10.24.170.58    YES NVRAM  up                    up

Tunnel2                    10.32.170.58    YES NVRAM  up                    up

Vlan1                      10.24.141.3     YES NVRAM  up                    up

czprab01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

80.188.29.210   216.40.52.7     QM_IDLE           2113 ACTIVE              <-------------- Tunnel 1 (working)

216.40.48.53    80.188.29.210   MM_KEY_EXCH       2780 ACTIVE

216.40.48.53    80.188.29.210   MM_KEY_EXCH       2779 ACTIVE

216.40.48.53    80.188.29.210   MM_NO_STATE       2778 ACTIVE (deleted)

216.40.48.53    80.188.29.210   MM_NO_STATE       2777 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

czprab01#sh crypto ipsec sa

interface: Tunnel1

    Crypto map tag: Tunnel1-head-0, local addr 80.188.29.210

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (80.188.29.210/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (216.40.52.7/255.255.255.255/47/0)

   current_peer 216.40.52.7 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 3955556, #pkts encrypt: 3955556, #pkts digest: 3955556

    #pkts decaps: 4334117, #pkts decrypt: 4334117, #pkts verify: 4334117

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 1618

     local crypto endpt.: 80.188.29.210, remote crypto endpt.: 216.40.52.7

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x209DAC2C(547204140)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x45E07928(1172338984)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Transport UDP-Encaps, }

        conn id: 39, flow_id: Onboard VPN:39, sibling_flags 80000006, crypto map: Tunnel1-head-0

        sa timing: remaining key lifetime (k/sec): (4459162/777)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x209DAC2C(547204140)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Transport UDP-Encaps, }

        conn id: 40, flow_id: Onboard VPN:40, sibling_flags 80000006, crypto map: Tunnel1-head-0

        sa timing: remaining key lifetime (k/sec): (4461679/777)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel2

    Crypto map tag: Tunnel2-head-0, local addr 80.188.29.210

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (80.188.29.210/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (216.40.48.53/255.255.255.255/47/0)

   current_peer 216.40.48.53 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 266, #recv errors 0

     local crypto endpt.: 80.188.29.210, remote crypto endpt.: 216.40.48.53

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

DEBUG on the spoke:

czprab01#sh debugging

czprab01#sh debugging

Cryptographic Subsystem:

  Crypto ISAKMP Error debugging is on

  Crypto IPSEC Error debugging is on

czprab01#

*Nov  5 02:38:24 Winter: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb

czprab01#sh crypto  isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

80.188.29.210   216.40.52.7     QM_IDLE           2113 ACTIVE

216.40.48.53    80.188.29.210   MM_KEY_EXCH       2787 ACTIVE

216.40.48.53    80.188.29.210   MM_KEY_EXCH       2786 ACTIVE

*Nov  5 02:39:24 Winter: ISAKMP:(2786):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:39:24 Winter: ISAKMP:(2786):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:39:54 Winter: ISAKMP:(2787):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:39:54 Winter: ISAKMP:(2787):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:40:28 Winter: ISAKMP:(2788):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:40:28 Winter: ISAKMP:(2788):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:40:54 Winter: ISAKMP:(2789):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:40:54 Winter: ISAKMP:(2789):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:41:24 Winter: ISAKMP:(2790):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

*Nov  5 02:41:24 Winter: ISAKMP:(2790):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)

configuration of the tunnels:

czprab01#sh runn int tunn1

Building configuration...

Current configuration : 405 bytes

!

interface Tunnel1

bandwidth 1000

ip address 10.24.170.58 255.255.255.0

ip mtu 1352

ip flow ingress

ip nhrp authentication donttell

ip nhrp map 10.24.170.1 216.40.52.7

ip nhrp network-id 169

ip nhrp holdtime 300

ip nhrp nhs 10.24.170.1

ip tcp adjust-mss 1200

delay 1000

tunnel source FastEthernet4

tunnel destination 216.40.52.7

tunnel key 100000

tunnel protection ipsec profile CHEP

end

czprab01#sh runn int tunn2

Building configuration...

Current configuration : 406 bytes

!

interface Tunnel2

bandwidth 256

ip address 10.32.170.58 255.255.255.0

ip mtu 1352

ip flow ingress

ip nhrp authentication donttell

ip nhrp map 10.32.170.1 216.40.48.53

ip nhrp network-id 170

ip nhrp holdtime 300

ip nhrp nhs 10.32.170.1

ip tcp adjust-mss 1200

delay 1500

tunnel source FastEthernet4

tunnel destination 216.40.48.53

tunnel key 100001

tunnel protection ipsec profile CHEP

end

I tried to shut down the tunnel2 for a while but no luck

I did clear crypto sa peer XXXX and no luck

any suggestion please?

THANK YOU

  • WAN Routing and Switching
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

DMVPN dua HUB issue, one tunnel doesnt work

https://supportforums.cisco.com/thread/256417

please take a look at the above..

Regards
Vinayak

Regards Vinayak
7 REPLIES
New Member

DMVPN dua HUB issue, one tunnel doesnt work

https://supportforums.cisco.com/thread/256417

please take a look at the above..

Regards
Vinayak

Regards Vinayak

DMVPN dua HUB issue, one tunnel doesnt work

Hello, Omar.

Please provide output for "debug crypto isakmp" and " sh ip route 216.40.48.53"

New Member

DMVPN dua HUB issue, one tunnel doesnt work

This is the output of the debugÑ

czprab01#

*Nov  7 01:32:53 Winter: %SYS-5-CONFIG_I: Configured from console by netman on vty0 (10.32.1.22)

*Nov  7 01:32:55 Winter: %LINK-3-UPDOWN: Interface Tunnel2, changed state to up

*Nov  7 01:32:55 Winter: ISAKMP:(0): SA request profile is (NULL)

*Nov  7 01:32:55 Winter: ISAKMP: Created a peer struct for 216.40.48.53, peer port 500

*Nov  7 01:32:55 Winter: ISAKMP: New peer created peer = 0x84F1B738 peer_handle = 0x80000D08

*Nov  7 01:32:55 Winter: ISAKMP: Locking peer struct 0x84F1B738, refcount 1 for isakmp_initiator

*Nov  7 01:32:55 Winter: ISAKMP: local port 500, remote port 500

*Nov  7 01:32:55 Winter: ISAKMP: set new node 0 to QM_IDLE

*Nov  7 01:32:55 Winter: ISAKMP:(0):insert sa successfully sa = 84F2BDD4

*Nov  7 01:32:55 Winter: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Nov  7 01:32:55 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Nov  7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Nov  7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Nov  7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Nov  7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Nov  7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Nov  7 01:32:55 Winter: ISAKMP:(0): beginning Main Mode exchange

*Nov  7 01:32:55 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_NO_STATE

*Nov  7 01:32:55 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Nov  7 01:32:55 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_NO_STATE

*Nov  7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Nov  7 01:32:55 Winter: ISAKMP:(0): processing SA payload. message ID = 0

*Nov  7 01:32:55 Winter: ISAKMP:(0): processing vendor id payload

*Nov  7 01:32:55 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Nov  7 01:32:55 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Nov  7 01:32:55 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 01:32:55 Winter: ISAKMP:(0): local preshared key found

*Nov  7 01:32:55 Winter: ISAKMP : Scanning profiles for xauth ...

*Nov  7 01:32:55 Winter: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Nov  7 01:32:55 Winter: ISAKMP:      encryption 3DES-CBC

*Nov  7 01:32:55 Winter: ISAKMP:      hash MD5

*Nov  7 01:32:55 Winter: ISAKMP:      default group 1

*Nov  7 01:32:55 Winter: ISAKMP:      auth pre-share

*Nov  7 01:32:55 Winter: ISAKMP:      life type in seconds

*Nov  7 01:32:55 Winter: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Nov  7 01:32:55 Winter: ISAKMP:(0):atts are acceptable. Next payload is 0

*Nov  7 01:32:55 Winter: ISAKMP:(0):Acceptable atts:actual life: 0

*Nov  7 01:32:55 Winter: ISAKMP:(0):Acceptable atts:life: 0

*Nov  7 01:32:55 Winter: ISAKMP:(0):Fill atts in sa vpi_length:4

*Nov  7 01:32:55 Winter: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Nov  7 01:32:55 Winter: ISAKMP:(0):Returning Actual lifetime: 86400

*Nov  7 01:32:55 Winter: ISAKMP:(0)::Started lifetime timer: 86400.

*Nov  7 01:32:55 Winter: ISAKMP:(0): processing vendor id payload

*Nov  7 01:32:55 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Nov  7 01:32:55 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Nov  7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Nov  7 01:32:55 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Nov  7 01:32:55 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Nov  7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Nov  7 01:32:55 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_SA_SETUP

*Nov  7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Nov  7 01:32:55 Winter: ISAKMP:(0): processing KE payload. message ID = 0

*Nov  7 01:32:55 Winter: ISAKMP:(0): processing NONCE payload. message ID = 0

*Nov  7 01:32:55 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 01:32:55 Winter: ISAKMP:(2308): processing vendor id payload

*Nov  7 01:32:55 Winter: ISAKMP:(2308): vendor ID is Unity

*Nov  7 01:32:55 Winter: ISAKMP:(2308): processing vendor id payload

*Nov  7 01:32:55 Winter: ISAKMP:(2308): vendor ID is DPD

*Nov  7 01:32:55 Winter: ISAKMP:(2308): processing vendor id payload

*Nov  7 01:32:55 Winter: ISAKMP:(2308): speaking to another IOS box!

*Nov  7 01:32:55 Winter: ISAKMP:received payload type 20

*Nov  7 01:32:55 Winter: ISAKMP (2308): His hash no match - this node outside NAT

*Nov  7 01:32:55 Winter: ISAKMP:received payload type 20

*Nov  7 01:32:55 Winter: ISAKMP (2308): His hash no match - this node outside NAT

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Send initial contact

*Nov  7 01:32:55 Winter: ISAKMP:(2308):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Nov  7 01:32:55 Winter: ISAKMP (2308): ID payload

        next-payload : 8

        type         : 1

        address      : 80.188.29.210

        protocol     : 17

        port         : 0

        length       : 12

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Total payload length: 12

*Nov  7 01:32:55 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 01:32:55 Winter: ISAKMP:(2308):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Nov  7 01:32:56 Winter: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up

czprab01#

czprab01#

*Nov  7 01:33:05 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:05 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Nov  7 01:33:05 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH

*Nov  7 01:33:05 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:05 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.

*Nov  7 01:33:15 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:15 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Nov  7 01:33:15 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH

*Nov  7 01:33:15 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:15 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.

czprab01#

czprab01#

czprab01#

czprab01#

*Nov  7 01:33:25 Winter: ISAKMP:(0): SA request profile is (NULL)

*Nov  7 01:33:25 Winter: ISAKMP: Created a peer struct for 216.40.48.53, peer port 500

*Nov  7 01:33:25 Winter: ISAKMP: New peer created peer = 0x838FB5D8 peer_handle = 0x80000D0F

*Nov  7 01:33:25 Winter: ISAKMP: Locking peer struct 0x838FB5D8, refcount 1 for isakmp_initiator

*Nov  7 01:33:25 Winter: ISAKMP: local port 500, remote port 500

*Nov  7 01:33:25 Winter: ISAKMP: set new node 0 to QM_IDLE

*Nov  7 01:33:25 Winter: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8390F81C

*Nov  7 01:33:25 Winter: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Nov  7 01:33:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Nov  7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Nov  7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Nov  7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Nov  7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Nov  7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Nov  7 01:33:25 Winter: ISAKMP:(0): beginning Main Mode exchange

*Nov  7 01:33:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_NO_STATE

*Nov  7 01:33:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Nov  7 01:33:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_NO_STATE

*Nov  7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Nov  7 01:33:25 Winter: ISAKMP:(0): processing SA payload. message ID = 0

*Nov  7 01:33:25 Winter: ISAKMP:(0): processing vendor id payload

*Nov  7 01:33:25 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Nov  7 01:33:25 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Nov  7 01:33:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 01:33:25 Winter: ISAKMP:(0): local preshared key found

*Nov  7 01:33:25 Winter: ISAKMP : Scanning profiles for xauth ...

*Nov  7 01:33:25 Winter: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Nov  7 01:33:25 Winter: ISAKMP:      encryption 3DES-CBC

*Nov  7 01:33:25 Winter: ISAKMP:      hash MD5

*Nov  7 01:33:25 Winter: ISAKMP:      default group 1

*Nov  7 01:33:25 Winter: ISAKMP:      auth pre-share

*Nov  7 01:33:25 Winter: ISAKMP:      life type in seconds

*Nov  7 01:33:25 Winter: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Nov  7 01:33:25 Winter: ISAKMP:(0):atts are acceptable. Next payload is 0

*Nov  7 01:33:25 Winter: ISAKMP:(0):Acceptable atts:actual life: 0

*Nov  7 01:33:25 Winter: ISAKMP:(0):Acceptable atts:life: 0

*Nov  7 01:33:25 Winter: ISAKMP:(0):Fill atts in sa vpi_length:4

*Nov  7 01:33:25 Winter: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Nov  7 01:33:25 Winter: ISAKMP:(0):Returning Actual lifetime: 86400

*Nov  7 01:33:25 Winter: ISAKMP:(0)::Started lifetime timer: 86400.

*Nov  7 01:33:25 Winter: ISAKMP:(0): processing vendor id payload

*Nov  7 01:33:25 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Nov  7 01:33:25 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Nov  7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Nov  7 01:33:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Nov  7 01:33:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Nov  7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Nov  7 01:33:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_SA_SETUP

*Nov  7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Nov  7 01:33:25 Winter: ISAKMP:(0): processing KE payload. message ID = 0

*Nov  7 01:33:25 Winter: ISAKMP:(0): processing NONCE payload. message ID = 0

*Nov  7 01:33:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 01:33:25 Winter: ISAKMP:(2309): processing vendor id payload

*Nov  7 01:33:25 Winter: ISAKMP:(2309): vendor ID is Unity

*Nov  7 01:33:25 Winter: ISAKMP:(2309): processing vendor id payload

*Nov  7 01:33:25 Winter: ISAKMP:(2309): vendor ID is DPD

*Nov  7 01:33:25 Winter: ISAKMP:(2309): processing vendor id payload

*Nov  7 01:33:25 Winter: ISAKMP:(2309): speaking to another IOS box!

*Nov  7 01:33:25 Winter: ISAKMP:received payload type 20

*Nov  7 01:33:25 Winter: ISAKMP (2309): His hash no match - this node outside NAT

*Nov  7 01:33:25 Winter: ISAKMP:received payload type 20

*Nov  7 01:33:25 Winter: ISAKMP (2309): His hash no match - this node outside NAT

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Send initial contact

*Nov  7 01:33:25 Winter: ISAKMP:(2309):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Nov  7 01:33:25 Winter: ISAKMP (2309): ID payload

        next-payload : 8

        type         : 1

        address      : 80.188.29.210

        protocol     : 17

        port         : 0

        length       : 12

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Total payload length: 12

*Nov  7 01:33:25 Winter: ISAKMP:(2309): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Sending an IKE IPv4 Packet.

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 01:33:25 Winter: ISAKMP:(2309):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Nov  7 01:33:25 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:25 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Nov  7 01:33:25 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH

*Nov  7 01:33:25 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:25 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.

czprab01#

*Nov  7 01:33:35 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:35 Winter: ISAKMP (2309): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Nov  7 01:33:35 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH

*Nov  7 01:33:35 Winter: ISAKMP:(2309): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:35 Winter: ISAKMP:(2309):Sending an IKE IPv4 Packet.

*Nov  7 01:33:35 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:35 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Nov  7 01:33:35 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH

*Nov  7 01:33:35 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:35 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.

*Nov  7 01:33:45 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:45 Winter: ISAKMP (2309): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Nov  7 01:33:45 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH

*Nov  7 01:33:45 Winter: ISAKMP:(2309): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Nov  7 01:33:45 Winter: ISAKMP:(2309):Sending an IKE IPv4 Packet.

*Nov  7 01:33:45 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...

*Nov  7 01:33:45 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Nov  7 01:33:45 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH

czprab01#sh ip route 216.40.48.53

Routing entry for 216.40.48.53/32

  Known via "static", distance 1, metric 0

  Routing Descriptor Blocks:

  * 80.188.29.209, via FastEthernet4

      Route metric is 0, traffic share count is 1

czprab01#ping 216.40.48.53

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 216.40.48.53, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 132/134/140 ms

Thank you

DMVPN dua HUB issue, one tunnel doesnt work

Hello, Omar.

>sending packet to 216.40.48.53 my_port 4500 peer_port 4500

Looks like some issue with NAT-T. But it's strange that router detects NAT even though you are using piblic addresses.

Take a look at the link provided by Raman.

PS: check you inbound ACLs on both side - do they permit udp 4500?

PS2: do you have the same debug output from the other side?

New Member

DMVPN dua HUB issue, one tunnel doesnt work

Hi Mikhailovsky,

I tried what in the link says:

command

crypto ipsec nat-transparency spi-matching

in both sides int this is the result:

czprab01#sh cryp session

Crypto session current status

Interface: Tunnel1

Session status: UP-ACTIVE

Peer: 216.40.52.7 port 4500

  IKE SA: local 80.188.29.210/4500 remote 216.40.52.7/4500 Active

  IPSEC FLOW: permit 47 host 80.188.29.210 host 216.40.52.7

        Active SAs: 2, origin: crypto map

Interface: Tunnel2

Session status: UP-IDLE      <----------------------------------------

Peer: 216.40.48.53 port 500

  IKE SA: local 80.188.29.210/500 remote 216.40.48.53/500 Active

  IPSEC FLOW: permit 47 host 80.188.29.210 host 216.40.48.53

        Active SAs: 0, origin: crypto map

czprab01#sh cryp isa

czprab01#sh cryp isakmp sa

czprab01#sh cryp isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

216.40.48.53    80.188.29.210   QM_IDLE           2458 ACTIVE

216.40.52.7     80.188.29.210   QM_IDLE           2034 ACTIVE

IPv6 Crypto ISAKMP SA

Debug:  (looks like it is trying throught the port 500)

czprab01#

*Nov  7 23:12:24 Winter: %SYS-5-CONFIG_I: Configured from console by netman on vty0 (10.32.1.22)

*Nov  7 23:12:25 Winter: %LINK-3-UPDOWN: Interface Tunnel2, changed state to up

*Nov  7 23:12:25 Winter: ISAKMP:(0): SA request profile is (NULL)

*Nov  7 23:12:25 Winter: ISAKMP: Created a peer struct for 216.40.48.53, peer port 500

*Nov  7 23:12:25 Winter: ISAKMP: New peer created peer = 0x84F60934 peer_handle = 0x8000194B

*Nov  7 23:12:25 Winter: ISAKMP: Locking peer struct 0x84F60934, refcount 1 for isakmp_initiator

*Nov  7 23:12:25 Winter: ISAKMP: local port 500, remote port 500

*Nov  7 23:12:25 Winter: ISAKMP: set new node 0 to QM_IDLE

*Nov  7 23:12:25 Winter: ISAKMP:(0):insert sa successfully sa = 84F5FF70

*Nov  7 23:12:25 Winter: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Nov  7 23:12:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Nov  7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Nov  7 23:12:25 Winter: ISAKMP:(0): beginning Main Mode exchange

*Nov  7 23:12:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_NO_STATE

*Nov  7 23:12:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Nov  7 23:12:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_NO_STATE

*Nov  7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Nov  7 23:12:25 Winter: ISAKMP:(0): processing SA payload. message ID = 0

*Nov  7 23:12:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 23:12:25 Winter: ISAKMP:(0): local preshared key found

*Nov  7 23:12:25 Winter: ISAKMP : Scanning profiles for xauth ...

*Nov  7 23:12:25 Winter: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Nov  7 23:12:25 Winter: ISAKMP:      encryption 3DES-CBC

*Nov  7 23:12:25 Winter: ISAKMP:      hash MD5

*Nov  7 23:12:25 Winter: ISAKMP:      default group 1

*Nov  7 23:12:25 Winter: ISAKMP:      auth pre-share

*Nov  7 23:12:25 Winter: ISAKMP:      life type in seconds

*Nov  7 23:12:25 Winter: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Nov  7 23:12:25 Winter: ISAKMP:(0):atts are acceptable. Next payload is 0

*Nov  7 23:12:25 Winter: ISAKMP:(0):Acceptable atts:actual life: 0

*Nov  7 23:12:25 Winter: ISAKMP:(0):Acceptable atts:life: 0

*Nov  7 23:12:25 Winter: ISAKMP:(0):Fill atts in sa vpi_length:4

*Nov  7 23:12:25 Winter: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Nov  7 23:12:25 Winter: ISAKMP:(0):Returning Actual lifetime: 86400

*Nov  7 23:12:25 Winter: ISAKMP:(0)::Started lifetime timer: 86400.

*Nov  7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Nov  7 23:12:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Nov  7 23:12:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Nov  7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Nov  7 23:12:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_SA_SETUP

*Nov  7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Nov  7 23:12:25 Winter: ISAKMP:(0): processing KE payload. message ID = 0

*Nov  7 23:12:25 Winter: ISAKMP:(0): processing NONCE payload. message ID = 0

*Nov  7 23:12:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing vendor id payload

*Nov  7 23:12:25 Winter: ISAKMP:(2458): vendor ID is Unity

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing vendor id payload

*Nov  7 23:12:25 Winter: ISAKMP:(2458): vendor ID is DPD

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing vendor id payload

*Nov  7 23:12:25 Winter: ISAKMP:(2458): speaking to another IOS box!

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Send initial contact

*Nov  7 23:12:25 Winter: ISAKMP:(2458):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Nov  7 23:12:25 Winter: ISAKMP (2458): ID payload

        next-payload : 8

        type         : 1

        address      : 80.188.29.210

        protocol     : 17

        port         : 500

        length       : 12

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Total payload length: 12

*Nov  7 23:12:25 Winter: ISAKMP:(2458): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Sending an IKE IPv4 Packet.

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Nov  7 23:12:25 Winter: ISAKMP (2458): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing ID payload. message ID = 0

*Nov  7 23:12:25 Winter: ISAKMP (2458): ID payload

        next-payload : 8

        type         : 1

        address      : 10.32.100.95

        protocol     : 17

        port         : 500

        length       : 12

*Nov  7 23:12:25 Winter: ISAKMP:(0):: peer matches *none* of the profiles

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing HASH payload. message ID = 0

*Nov  7 23:12:25 Winter: ISAKMP:(2458):SA authentication status:

        authenticated

*Nov  7 23:12:25 Winter: ISAKMP:(2458):SA has been authenticated with 216.40.48.53

*Nov  7 23:12:25 Winter: ISAKMP: Trying to insert a peer 80.188.29.210/216.40.48.53/500/,  and inserted successfully 84F60934.

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):IKE_DPD is enabled, initializing timers

*Nov  7 23:12:25 Winter: ISAKMP:(2458):beginning Quick Mode exchange, M-ID of -1653111772

*Nov  7 23:12:25 Winter: ISAKMP:(2458):QM Initiator gets spi

*Nov  7 23:12:25 Winter: ISAKMP:(2458): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) QM_IDLE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Sending an IKE IPv4 Packet.

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Node -1653111772, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Nov  7 23:12:25 Winter: ISAKMP (2458): received packet from 216.40.48.53 dport 500 sport 500 Global (I) QM_IDLE

*Nov  7 23:12:25 Winter: ISAKMP: set new node 457267733 to QM_IDLE

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing HASH payload. message ID = 457267733

*Nov  7 23:12:25 Winter: ISAKMP:(2458): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 366030750, message ID = 457267733, sa = 84F5FF70

*Nov  7 23:12:25 Winter: ISAKMP:(2458): deleting spi 366030750 message ID = -1653111772

*Nov  7 23:12:25 Winter: ISAKMP:(2458):deleting node -1653111772 error TRUE reason "Delete Larval"

*Nov  7 23:12:25 Winter: ISAKMP:(2458):deleting node 457267733 error FALSE reason "Informational (in) state 1"

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Nov  7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Nov  7 23:12:26 Winter: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up

czprab01#

czprab01#

czprab01#

*Nov  7 23:12:55 Winter: ISAKMP: set new node 0 to QM_IDLE

*Nov  7 23:12:55 Winter: SA has outstanding requests  (local 132.246.0.244 port 500, remote 132.246.0.216 port 500)

*Nov  7 23:12:55 Winter: ISAKMP:(2458): sitting IDLE. Starting QM immediately (QM_IDLE      )

*Nov  7 23:12:55 Winter: ISAKMP:(2458):beginning Quick Mode exchange, M-ID of -2109933165

*Nov  7 23:12:55 Winter: ISAKMP:(2458):QM Initiator gets spi

*Nov  7 23:12:55 Winter: ISAKMP:(2458): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) QM_IDLE

*Nov  7 23:12:55 Winter: ISAKMP:(2458):Sending an IKE IPv4 Packet.

*Nov  7 23:12:55 Winter: ISAKMP:(2458):Node -2109933165, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Nov  7 23:12:55 Winter: ISAKMP:(2458):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Nov  7 23:12:55 Winter: ISAKMP (2458): received packet from 216.40.48.53 dport 500 sport 500 Global (I) QM_IDLE

*Nov  7 23:12:55 Winter: ISAKMP: set new node 734369673 to QM_IDLE

*Nov  7 23:12:55 Winter: ISAKMP:(2458): processing HASH payload. message ID = 734369673

*Nov  7 23:12:55 Winter: ISAKMP:(2458): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 3927145352, message ID = 734369673, sa = 84F5FF70

*Nov  7 23:12:55 Winter: ISAKMP:(2458): deleting spi 3927145352 message ID = -2109933165

*Nov  7 23:12:55 Winter: ISAKMP:(2458):deleting node -2109933165 error TRUE reason "Delete Larval"

*Nov  7 23:12:55 Winter: ISAKMP:(2458):deleting node 734369673 error FALSE reason "Informational (in) state 1"

*Nov  7 23:12:55 Winter: ISAKMP:(2458):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Nov  7 23:12:55 Winter: ISAKMP:(2458):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Nov  7 23:13:15 Winter: ISAKMP:(2458):purging node -1653111772

*Nov  7 23:13:15 Winter: ISAKMP:(2458):purging node 457267733

and this is the ACL:

czprab01#sh ip access 110

Extended IP access list 110

    10 deny icmp any any redirect log

    20 deny ip 127.0.0.0 0.255.255.255 any log

    30 deny ip 224.0.0.0 31.255.255.255 any log

    40 deny ip host 0.0.0.0 any log

    50 permit esp host 216.40.52.7 any

    60 permit udp host 216.40.52.7 any eq isakmp

    70 permit gre host 216.40.52.7 any

    80 permit udp host 216.40.52.7 any eq non500-isakmp (16355 matches)

    90 permit esp host 216.40.48.53 any

    100 permit udp host 216.40.48.53 any eq isakmp (256 matches)

    110 permit gre host 216.40.48.53 any

    120 permit udp host 216.40.48.53 any eq non500-isakmp

    130 deny ip any any log (18 matches)

I will appreciate any comment

New Member

DMVPN dua HUB issue, one tunnel doesnt work

I am not sure if you resolved this and I am new to replying so forgive if I am doing incorrectly but..

I noticed you did not have the word shared under your tunnel protection statement as this is needed

tunnel protection ipsec profile CHEP shared

DMVPN dua HUB issue, one tunnel doesnt work

Hello

can you try...

Int tun xx

tunnel mode gre multipoint

ip nhrp map multicast 216.40.48.53

ip mtu 1400

ip tcp adjust-mss 1360

tunnel protection ipsec profile CHEP shared

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
1579
Views
0
Helpful
7
Replies
This widget could not be displayed.