DMVPN/GETVPN double spoke router Design

Similar Questions

• Double-Cloud DMVPN spoke Router Configuration

  I have a decided to adopt an architecture dual-cloud DMVPN (1 head of network in the main office, 1 head of bed instead of DR) with the option later to go to double / hub in each of my network places.

  I tried to configure each of the clouds to have its own key.

  Cloud Hub 1 1:

  ISAKMP crypto key KEY123 address 0.0.0.0 0.0.0.0 no.-xauth

  1 2 hub cloud:

  ISAKMP crypto key KEY456 address 0.0.0.0 0.0.0.0 no.-xauth

  Of course, the rays I want to connect to the two clouds not would allow me to use the same simple crypto isakmp key command twice.

  Several of my sites will have 2 internet connections.  Given that I source a tunnel each of these Internet connections, I came up with the following solution:

  talk 1:

  door-key crypto X-RING

  address Gig0/1 (internet connection interface 1)

  preshared key address 0.0.0.0 0.0.0.0 touches 0 KEY123

  door-key crypto Y-RING

  address Gig0/2 (internet connection interface 2)

  preshared key address 0.0.0.0 0.0.0.0 touch 0 KEY456

  Crypto isakmp DMVPN_ISAKMP_X profile

  X-RING keychain

  function identity address 0.0.0.0

  address Gig0/1

  Crypto isakmp DMVPN_ISAKMP_Y profile

  Y-RING keychain

  function identity address 0.0.0.0

  address Gig0/2

  OK... to the question... the first site I tried to connect the two clouds DMVPN has only 1 internet connection!

  Without changing both my DMVPN clouds to the same key (almost all of the examples have this) - how can I make sure that tunnels speaks - has spoken-star work?

  Is there anything else I can match? or create on each configs speaks and hub?

  I tried:

  - identity group match, but couldn't figure out how to set a group name on each of the rays - or the hub also.  Also, no.-xauth wouldn't prevent it being considered?

  -matching fqdn does not seem to work either.

  -vrf is not an option - not applicable
  -telesignalisations behind the ip address do not appear to be an option and seems to complicate the issue too.

  Thank you very much in advance!

  There is something special with ICP when seen DMVPN. PKI or preshared keys is just how isakmp authenticates the session, and there is no difference between DMVPN or Site to Site.

  Basically, you'd have to do these things:

  -create a CA. The basic can be created on some of your routers.

  -create the Trustpoint on each DMVPN hub and spokes.

  -change the type of authentication in isakmp profile of pre-shared key to rsa - SIG.

  You can certainly more trustpoint then one, one for each cloud, but I highly doubt that it is necessary for the public key infrastructure.

  Maybe this doc will be of little help, even if it has too much info:

  http://www.Cisco.com/en/us/docs/solutions/enterprise/security/DCertPKI.html

  If you need, I can bring up some full example site to site with PKI auth.

• DMVPN getvpn or DVTI

  Hello

  in fact I situation as mentioned further and I am confused about design and implement what VPN topology, I choose DMVPN, GETVPN or DVTI

  I have 4 branch and 1 main site, branches have 2 connectivity to HQ a via INTERNET one another through MPLS, so I want to have Fail-over on the links and also secure two-way tunnel

  Best regards

  John Mayer

  GETVPN is not supposed to be used on the internet. If this isn't the solution.

  With this small amount of sites I set up static VTI on MPLS and use DVTIs on the internet if the branches have dynamic IPs. If the branches also have the static IP, I re also these links with the stuffy VTI.

  DMVPN could also be used in this scenario, but the protocol overhead is not necessary in this small scale scenario.

• Question DMVPN with double IPS links at the end of the branch

  I have a Setup (see drawing) where I

  Double TIS links at the end of the branch, with the wireless and the other with 3 G.

  Wireless should always be the main path, when it works (it's a kind ship when it is in the port)

  If I use OSPF, then it works fine the failover, but as soon as I enable IPSEC on the tunnel, then there are switched only once and it will not be repeated at the elementary level once again, without having to restart the router, and then it works for a failover once again.

  I also use tracking, because there is no interface, it is down

  Are there someone there is a working configuration, where ec. in the network head (normal installation) there is double tis links on the same router or ofcause the same as I.

  I'm ready to use any kind of protocols so that it can work, so RIPv2 (preferred), EIGRP, OSPF, tracking, IP SLA

  Who is 80.198.195.138?

  The peer Hub address is 80.1.1.1 then you can ping this address when the main link is down?

  It also seems that you have IPSec tunnel 0 UP but no 0 and 1-tunnel at the same time tunnel. Make sure you have the word of shared key on the hub, router that you use the same source for the two IPSec tunnel IP address.

  This message means the IKE database between two routers is out of sync, but should recover on its own.

  HTH

  Laurent.

• FlexVPN has spoke-to-Spoke routing Override loop

  I have a router spoke, that hat of router routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the transfer network):

  IP route 192.168.1.0 255.255.255.0 10.1.1.1

  After active the FlexVPN I get the substitution of routing, and routing is 192.168.1.0 255.255.255.0 tunnel0 in Soke-router. I lost the right path, and I get the loop to the center of 192.168.1.0.

  How can I leave the router spoke to ignore the routing itself from the Center?

  One was would be to increase the distance of the routes from the hub.

  http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/security/M1/sec-M1-CR-b...

• DMVPN Tunnel and EIGRP routing problem

  I have redundant paths to a remote 2811 router on my network of sites.  The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

  I'm under EIGRP to my process of routing protocol 100 for the two links.

  I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site.  The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

  However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

  What I'm missing here?

  A tunnel0 to see the shows the following:

  Tunnel0 is up, line protocol is up
  Material is Tunnel
  The Internet address is 10.x.x.x/24
  MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  KeepAlive not set
  Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
  Tunnel/GRE/IP transport protocol
  Key 0x186A0, sequencing of the people with reduced mobility
  Disabled packages parity check
  TTL 255 tunnel
  Quick tunneling enabled
  Tunnel of transmission bandwidth 8000 (Kbps)
  Tunnel to receive 8000 (Kbps) bandwidth
  Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
  Last entry of 00:00:01, exit ever, blocking of output never
  Final cleaning of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
  Strategy of queues: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bps, 0 packets/s
  5 minute output rate 0 bps, 0 packets/s
  packages of 880, 63000 bytes, 0 no buffer entry
  Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
  errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
  output of 910 packages, 81315 bytes, 0 underruns
  0 output errors, 0 collisions, 0 resets interface
  unknown protocol 0 drops
  output buffer, the output buffers 0 permuted 0 failures

  Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

  Federico.

• Double trouble: email design and re Captcha

  Hello

  Usually I can do something that I need Muse and now I have reached a point where I don't know what to do. I had two problems, and the two are connected with the Muse e-mail forms.

  (1) the design of the email I receive from my form.
  I found patterns for automation of notification emails that sender of the form receives after submitting the form and I've been able to re - design the model. Now, I want to re-design of the email I receive from the form. So far, I still get email pre Business Catalyst, two gray stripes with the contents of the form in the meantime. Given that I have am building site for a client and don't want them to read the Business Catalyst "ads" in the mail, I would like to be able to re - design this email in the same style as I did with the autoresponder. Where can I do this?

  (2) since I redesigned my autoresponder, re Captcha stop working. When I used the form "such what ' with models of preformatted e-mail from Adobe, re Captcha worked fine. Now, with the answering machine model has changed, I re Captcha error message whenever I try to send the form. I went to BC Captcha and everything works fine, but I really want to use re-Captcha.

  More funny thing is: when you submit with re Captcha, disappears from the page itself, I get redirected to my automatic response email template where the Captcha message error object is displayed instead of text on the form. I already trried reloading re Captcha, the entire page, even quit and restarted my browser. As soon as I change the answering machine model, re Captcha does not work anymore.

  Any help and ideas would be greatly appreciated!

  Hello

  To answer your questions:

  1. you can change the email you receive when someone send form on your site from Site Manager > email system > notification of workflow.

  2. change the answering machine should not affect re-captcha, unless you changed something in the code for the form. BC also has the possibility of re-captcha for forms. You can use it too.

  Kind regards

  Aish

• Tunnel of speaks of talking DMVPN routing via hub

  I have a DMVPN network with several linked sites and everything works fine, with one exception. Two sites (which can connect spoke to speak perfectly well to all other spoke routers in the network) can not directly connect and route the traffic through the hub. Routing tables (EIGRP) you will see the routes are properly being announced, however see the PNDH ip indicates the following

  Router 1 (spoke router initiateing the connection)

  10.31.248.246/32 by 10.31.248.246, created Tunnel10 00:00:25, expire 00:09:34

  Type: dynamic, flags: implicit router

  The NBMA Address: * address of Router 2 *.

  (non-socket)

  2 router (router talk recipient)

  10.31.248.244/32 via 10.31.248.244

  Tunnel10 created at 00:01:53, expire 00:01:12

  Type: dynamic, flags: temporary

  The NBMA Address: * address of our server DMVPN router *.

  Any help to fix this would be extremely appreciated because the two offices are in Asia and our server router is the United States which means a round-trip time which should be approximately 50 ms between those offices is actually taking more than 400 ms

  Hello

  What happens, is that ROUTER1 already resolved correctly ROUTER2 via PNDH, but for some reason any cannot establish IPsec to send a response of PNDH to Router 2.

  Can you check if ISAKMP/IPsec between these two routers trying to establish when you ping from one side to the other? My guess is you'll see MM_NO_STATE ;-)

  M.

• With a dynamic IP address DMVPN spoke

  A DMVPN Hub-and-Spoke scenario. Hub is in HQ Corporate whileSpokes are based on Internet only. No idea how I could establish peering relationship if the rays are assigned dynamic IP address? He should learn via PNDH?

  I wonder how Zero Touch (ZTD) deployment point in the documentation for the rays...

  Hello Gerard,.

  While the CENTER should have a static IP address, speak it may have a dynamic IP, this isn't a problem.

  The hub is called a NHS (the next hop server). Basically, when the RADIUS will bring up the tunnel, he is recorded to the NHS via PNDH, so the hub will be a dynamic mapping of public IPs private rays.

  The only thing is that you must manually set the address IP of NHS at the rays so that they can register.

  Hope this helps.

• DMVPN - EIGRP Neighbors

  Hello

  I run a solution DMVPN mode double hub. I use EIGRP as Protocol routing between the hub and the spokes.

  I know that the gre is pain most of the time, but we have to live with that. Although I had neighbors talk about EIGRP

  stable for 8-9 weeks and other drop all the few weeks that I realized 2 days all EIGRP neighbors dropped simultaneously

  in the two centres.

  On each RADIUS, I run a phase commune 1 for the VPN, but different phase 2 of people who know well the DMVPN th know what I mean.

  HUBs located in different areas and it was not issue of bandwidth to assign the two hubs at the same time. Its really something

  with protocols that use the DMVPN or EIGRP.

  I saw DMVPN drops I saw only the EIGRP neighborship declined for all rays in both same time centers. Any suggestions

  Why EIGRP failed?

  It could be something with PNDH or an IOS bug;

  iOS c800-universalk9 - mz.spa.153 - 3.m.bin

  Please don't ask me basic troubleshooting, connectivity or timers. I'm looking for an advanced suggestion I have solved many problems DMVPN

  which cisco even could not find.

  I am looking forward to good suggestion and thank you for taking the time to consider the issue.

  Kind regards

  Spyros

  Hello

  «Do not forget that it is a design talk to speak.» Talk about communication talk goes staright away. DMVPN creates a dynamic tunnel between them and does not have the traffic via the HUB. »

  I think I disagree with you here cordially with these instructions next hop and split horizon of eigrp on shelves

  Rays set in fact tunnels between them however I'm being understood that the PNDH Rais of first need to query the cache of the PNDH server for the ip address of 'inside' to speak it it wants to connect to check the accessibility of the address of tunnel - I can't see or understand now why this requirement is also necessary on the rays.

  When you say adjacencies eigrp lowered at the same time - we are still not sure, this is due to some partial failure that has been found to ask, but I think for all rollover between hubs eigrp to work they must have potential successors then do these show upward in the topology tables? -Maybe you had a situation where the two hubs became State SIA and dropped?

  One last thing for a DWVPN mesh (talk to speaks) don't is not PKI is necessary and not pre-shared key and you say said cisco iOS has been or use cordially IPSec/gre is buggy what they suggest to make? As in your last post, you say that you sorted.

  RES
  Paul

  Sent by Cisco Support technique iPad App

• DMVPN problem

  Hello together,

  I have a dmvpn with double hub and ospf configuration.

  I had we spoke and now has added another spoke. but I don't want the two rays to open a tunnel between them, I want that all traffic passing through the hub.

  with "mode gre ip tunnel" on a RADIUS the RADIUS do nothing, I don't see the 2 hubs like ospf neighbors more. the hubs are configured as follows:

  interface Tunnel0
   
  bandwidth 100000
  172.16.5.1 IP address 255.255.255.0
  no ip redirection
  IP 1400 MTU
  test of PNDH IP authentication
  dynamic multicast of IP PNDH map
  PNDH id network IP-100000
  property intellectual PNDH holdtime 600
  dissemination of IP ospf network
  IP ospf priority 2
  delay of 1000
  source of tunnel GigabitEthernet0/0
  multipoint gre tunnel mode
  tunnel key 100000
  Tunnel ipsec profile protection profile
  end

  and the rays:

  interface Tunnel0
  VPN description
  bandwidth 1000
  IP 172.16.5.13 255.255.255.0
  no ip redirection
  IP 1400 MTU
  NAT outside IP
  test of PNDH IP authentication
  map of PNDH IP multicast XXX1<-official ips="" of="" the="" hubs="">
  intellectual property PNDH map 172.16.5.1 XXX1
  map of PNDH IP multicast x.x.x.2
  property intellectual PNDH card 172.16.5.2 x.x.x.2
  PNDH id network IP-100000
  property intellectual PNDH holdtime 300
  property intellectual PNDH nhs 172.16.5.1
  property intellectual PNDH nhs 172.16.5.2
  IP virtual-reassembly in
  dissemination of IP ospf network
  IP ospf priority 0
  IP ospf cost 5000
  delay of 1000
  source of Dialer1 tunnel
  multipoint gre tunnel mode
  tunnel key 100000
  Tunnel ipsec profile protection profile

  I saw roads since we talked to another speaks so I did a routemap of filtering that routes in the routing table, it takes default route hub and does not speak but they always try to open a tunnel between them which is blocked by the incomg acl, so traffic flows as it should , but I don't want the rays always trying to open a tunnel, they shouldn't be. I just want dmvpn phase 1

  Please try 'ip ospf point-to-multipoint network' on all routers of the star topology.

  In addition, it would be useful that you can post the config ipsec part (less any info security).

  Good luck with your configuration.

• DMVPN PNDH question

  I have a phase 2 network with routers spoke about 40 and routers DMVPN hub double. 90% of this works very well. However, I have 3 or 4 of the spoke routers that are unable to communicate with each other directly (traffic is via the router hub between these specific sites) but they are able to coomunicate directly with other routers 35 or more. I think it's a question of PNDH, as when I show in detail PNDH ip on one of these 4 routers, 3 other routers present a (without plug) input. I am able to erase that 'sometimes' by Claire ip PNDH. Whenever the (not scoket) input y at - he speaks of talking communication does not work. Any help would be greatly appreciated.

  Have you checked this CSCsw18019 bug

  Communication of talking - talking about passing THE by hub if PNDH cache authors.

• Address problem Source DMVPN Dual-Cloud

  Greetings,

  I run a pivot single double-cloud DMVPN in operation phase2 (talk-to-spoke active).  I am very surprised that the question does not come upwards more often.

  Here is my configuration:

  Each station has its own ISP.

  Each remote site has a single router connected to ISP (interface1 and interface2) 2

  Each head of public-IP network is routed static (/ 32) through a single interface.

  The default route is floating based on an IP SLA monitoring mechanism.

  Note the following image (showing the host routes) static and default

  

  With the two routes by default the value of the interface making DMVPN-X, a spoke-to-spoke on DMVPN-X works well.  But what of the talk-to-spoke out DMVPN?  It gets broken in the following way:

  At Site A, my TunnelY Interface come from 10.2.0.2.  After it to Site B; s public IP (10.4.0.2) via PNDH, he's trying to form a tunnel spoke to rays.  But how to get to 10.4.0.2?  It uses its default route on the 10.1.0.2 interface with address 10.2.0.2 source.    A few things can happen:

  (1) ISP blocks the bad sources completely, either explicitly or through uRPF.

  (2) talking-to-Spoke Tunnel arrives, but assymetic routing is performed (this is rare)

  (3) all sources of the ISP Nat to himself (gateways Comcast SMC this) in the example above, you see 10.1.0.1 crypto packages arriving at 10.4.0.2!  Imagine the confusion caused

  In most cases, isakmp is watered.  Even if the tunnel is in place, I don't want to assymetic shaping with all the bandwidth on a single interface - I like to use actively both ISP connections.

  Then... How to handle this?  I predicted it, but I thought that the mechanism of the PNDH/DMVPN would deal with this situation.  that is if I hear one speak via TunnelY and TunnelY is source on Interface2, it would naturally be to send packets on interface2.  Alas, this isn't the case.

  Here are some ways that I thought to solve:

  (1) because my end points are not dyamic, I could host statically road all rays are out all the interface2s, all the X on the interface1s.  (with 30 sites, it's so ugly, that I hesitate to even include it)

  (2) road map of each external interface and match against the source address.  If interface1 detects a source interface2, set-next-hop to interface2.  The same thing on interface2 - if she hears a source corresponding to the IP address of interface1, value jump following interface1.  It is repeatable, but looks a bit ugly as well.

  (3) poster on the forums of Cisco and see what the consensus is

  Thank you much in advance.  Here are my configs sites speaks if you need:

  Example of use of site A above:

  (using the PKI for isakmp)

  interface TunnelX
  bandwidth 10000
  IP 192.168.X.13 255.255.255.0
  no ip redirection
  IP 1400 MTU
  authentication of the PNDH IP [redact]
  map of PNDH IP 1.1.1.1 multicast
  PNDH IP card 192.168.X.1 1.1.1.1
  PNDH IP network id X
  property intellectual PNDH holdtime 240
  property intellectual PNDH nhs 192.168.X.1
  IP tcp adjust-mss 1360
  source of tunnel GigabitEthernet0/1
  multipoint gre tunnel mode
  tunnel key X
  Tunnel DMVPN_IPSEC ipsec protection profile
  !

  interface TunnelY
  bandwidth 10000
  IP 192.168.Y.13 255.255.255.0
  no ip redirection
  IP 1400 MTU
  authentication of the PNDH IP [redact]
  map of PNDH IP multicast 2.2.2.2
  PNDH IP card 192.168.Y.1 2.2.2.2
  PNDH IP network id Y
  property intellectual PNDH holdtime 240
  property intellectual PNDH nhs 192.168.Y.1
  IP tcp adjust-mss 1360
  source of tunnel GigabitEthernet0/2
  multipoint gre tunnel mode
  tunnel key Y
  Tunnel DMVPN_IPSEC ipsec protection profile
  !

  Route IP 1.1.1.1 255.255.255.255 10.1.0.1

  IP route 2.2.2.2 255.255.255.255 10.2.0.1

  IP route 0.0.0.0 0.0.0.0 10.1.0.1 Track1

  IP route 0.0.0.0 0.0.0.0 10.2.0.1 250 (for failover if track 1 breaks down)

  This is usually resolved by separating the ISP in before VRF (keeping global VRF inside if you chose to), allowing both titled tracks.

  It's late (almost 1:00) but I think that tunnel road-via could potentially work too.

• Changes of State DMVPN intermittent dmvpn

  We run a double DMVPN hub and spoke configuration using the router ASR for hubs and 2811 routers for the spoke routers.  Have passed us recently 3000 remote sites and discovered a problem in which we struggle with.  On some routers spoke (we don't know for sure how much), we see that the show in some cases dmvpn responds with IKE or PNDH with one of the peers hub (see below)

  Ro1-13349 #sho dmvpn
  Legend: Attrb--> S - static, D - dynamic, I - incomplete
  Local N - using a NAT, L-, X - no Socket
  # Ent--> entries number of the PNDH with same counterpart NBMA
  State of the NHS: E--> RSVPs, R--> answer
  UpDn time--> upward or down time for a Tunnel
  ==========================================================================

  Interface: Tunnel1, IPv4 PNDH details
  IPv4 recording timer: 30 seconds

  IPv4 NHS: 10.1.0.1 RE
  Type: talk, Total NBMA peers (v4/v6): 1

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb target network
  ----- --------------- --------------- ----- -------- ----- -----------------
  1 A.B.C.D 10.1.0.1 UP 6d14h S 10.1.0.1/32

  Interface: Tunnels2, IPv4 PNDH details
  IPv4 recording timer: 30 seconds

  IPv4 NHS: 10.2.0.1 E
  Type: talk, Total NBMA peers (v4/v6): 1

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb target network
  ----- --------------- --------------- ----- -------- ----- -----------------
  1 A.B.C.D 10.2.0.1 IKE 3w6d S 10.2.0.1/32

  The State gets between IKE and PNDH and upward.  We captured the data from our 3000 connections 3 times + and we saw about 15 to 20 on each capture data with 1 location that was on every list.

  Is there an extra logging that can help determine the cause?  We have recently added dmvpn logging on 32 branches and the typical message we see is as follows

  Apr 4 10:34:29.619 CDT: % DMVPN-5-NHRP_NHS: tunnels2 10.2.0.1 is DOWN
  Apr 4 10:35:53.048 CDT: % DMVPN-3-NHRP_ERROR: registration failed for on tunnels2 10.2.0.1

  In some cases, we get the following

  Apr 4 14:28:40.558 CDT: % DMVPN-7-CRYPTO_SS: tunnels2 - A.B.C.D socket is BROKEN

  Compensation crypto sessions or a tap continuously on the tunnel has rarely solves the problem.  If the problem returns.  We use a mixture of pre-shared key and CA cryptographic authentication.  We use Version 12.4 (24) T1 as IOS based on other issues.

  Please provide any idea that you may have on this type of problem.  I'll add more as discover us more information and has no relevant data to add.

  ERP,

  I'm afraid that my expertiese lies in troubleshooting, rather than surveillance.

  SNMP is an option? (I don't think there's much tagetted for DMVPN)

  I thought something similar to this:

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_dmvpn_tun_mon.html#wp1055877

  (although not sure how well ASR suppoorts this)

  Regarding conditional debugging and debugging at all.

  There is a debugging, you can generally activate "debug crypto isa err" which displays only the parts of the IKE negotiation error without risk.

  For conditional debugging. We can narrown down particular peer VRF interfaces or even particular debugging connections - this however would require that we already know if / what specific rays are affected more than others.

  PINGER#debug nhrp condition ?
  
        interface  based on the interface
  
        peer       based on the peer
  
        vrf        based on the vrf
  

  and

  PINGER#debug crypto condi ?
  
        connid     IKE/IPsec connection-id filter
  
        fvrf       Front-door VRF filter
  
        isakmp     Isakmp profile filter
  
        ivrf       Inside VRF filter
  
        local      IKE local address filter
  
        peer       IKE peer filter
  
        reset      Delete all debug filters and turn off conditional debug
  
        spi        SPI (Security Policy Index) filter
  
        unmatched  Output debugs even if no context available
  
        username   Xauth or Pki-aaa username filter
  

  I trust mainly "debug crypto condition homologous ipv4.

  Marcin

• DMVPN PPPoe MTU

  Hello

  I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.

  When I do a ping on the spoker to the hub like this:

  ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.

  Spoker newspaper I have this message:

  % DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination

  I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success

  But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?

  I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...

  Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.

  Thank you

  MTU must be set on the interface of tunnel for the hubs and spockes.

  If you want to save bits, you can even use transport mode instead of tunnel of fashion.

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem