DMVPN/GETVPN double spoke router Design
All the:
I'm developing a new design of VPN - cloud DMVPN, routers double hub to the main site, router hub unique to the backup site and double routers spoke at the Directorate General/remotes.
This is all via internet transport, with overlay GETVPN to encrypt.
Somebody has experiences establishing DMVPN designs with dual spoke routers, and how go you about it? HSRP @ interface outside or inside, determination of Protocol routing only, etc...
Thanks in advance!
Hi Steve,.
Using BGP will complicate things a bit.
This is because you must announce the IP (used as source GRE) HSRP on both your ISP. If you need to own that IP.
If this is not possible, you can use the double Hub - double DMVPN Layout (a part of the link DMVPN I joined precedent).
This will require a WILL by the router and routing to use routing protocol.
HSRP can still be used on the inside of the interface, the GRE tunnel status tracking.
Doesnít of traffic must be translated as possible via GRE tunnels.
Please rate if this helped.
Kind regards
Daniel
Tags: Cisco Security
Similar Questions
-
Double-Cloud DMVPN spoke Router Configuration
I have a decided to adopt an architecture dual-cloud DMVPN (1 head of network in the main office, 1 head of bed instead of DR) with the option later to go to double / hub in each of my network places.
I tried to configure each of the clouds to have its own key.
Cloud Hub 1 1:
ISAKMP crypto key KEY123 address 0.0.0.0 0.0.0.0 no.-xauth
1 2 hub cloud:
ISAKMP crypto key KEY456 address 0.0.0.0 0.0.0.0 no.-xauth
Of course, the rays I want to connect to the two clouds not would allow me to use the same simple crypto isakmp key command twice.
Several of my sites will have 2 internet connections. Given that I source a tunnel each of these Internet connections, I came up with the following solution:
talk 1:
door-key crypto X-RING
address Gig0/1 (internet connection interface 1)
preshared key address 0.0.0.0 0.0.0.0 touches 0 KEY123
door-key crypto Y-RING
address Gig0/2 (internet connection interface 2)
preshared key address 0.0.0.0 0.0.0.0 touch 0 KEY456
Crypto isakmp DMVPN_ISAKMP_X profile
X-RING keychain
function identity address 0.0.0.0
address Gig0/1
Crypto isakmp DMVPN_ISAKMP_Y profile
Y-RING keychain
function identity address 0.0.0.0
address Gig0/2
OK... to the question... the first site I tried to connect the two clouds DMVPN has only 1 internet connection!
Without changing both my DMVPN clouds to the same key (almost all of the examples have this) - how can I make sure that tunnels speaks - has spoken-star work?
Is there anything else I can match? or create on each configs speaks and hub?
I tried:
-
identity group match, but couldn't figure out how to set a group name on each of the rays - or the hub also. Also, no.-xauth wouldn't prevent it being considered? -matching fqdn does not seem to work either.
-vrf is not an option - not applicable
-telesignalisations behind the ip address do not appear to be an option and seems to complicate the issue too.Thank you very much in advance!
There is something special with ICP when seen DMVPN. PKI or preshared keys is just how isakmp authenticates the session, and there is no difference between DMVPN or Site to Site.
Basically, you'd have to do these things:
-create a CA. The basic can be created on some of your routers.
-create the Trustpoint on each DMVPN hub and spokes.
-change the type of authentication in isakmp profile of pre-shared key to rsa - SIG.
You can certainly more trustpoint then one, one for each cloud, but I highly doubt that it is necessary for the public key infrastructure.
Maybe this doc will be of little help, even if it has too much info:
http://www.Cisco.com/en/us/docs/solutions/enterprise/security/DCertPKI.html
If you need, I can bring up some full example site to site with PKI auth.
-
Hello
in fact I situation as mentioned further and I am confused about design and implement what VPN topology, I choose DMVPN, GETVPN or DVTI
I have 4 branch and 1 main site, branches have 2 connectivity to HQ a via INTERNET one another through MPLS, so I want to have Fail-over on the links and also secure two-way tunnel
Best regards
John Mayer
GETVPN is not supposed to be used on the internet. If this isn't the solution.
With this small amount of sites I set up static VTI on MPLS and use DVTIs on the internet if the branches have dynamic IPs. If the branches also have the static IP, I re also these links with the stuffy VTI.
DMVPN could also be used in this scenario, but the protocol overhead is not necessary in this small scale scenario.
-
Question DMVPN with double IPS links at the end of the branch
I have a Setup (see drawing) where I
Double TIS links at the end of the branch, with the wireless and the other with 3 G.
Wireless should always be the main path, when it works (it's a kind ship when it is in the port)
If I use OSPF, then it works fine the failover, but as soon as I enable IPSEC on the tunnel, then there are switched only once and it will not be repeated at the elementary level once again, without having to restart the router, and then it works for a failover once again.
I also use tracking, because there is no interface, it is down
Are there someone there is a working configuration, where ec. in the network head (normal installation) there is double tis links on the same router or ofcause the same as I.
I'm ready to use any kind of protocols so that it can work, so RIPv2 (preferred), EIGRP, OSPF, tracking, IP SLA
Who is 80.198.195.138?
The peer Hub address is 80.1.1.1 then you can ping this address when the main link is down?
It also seems that you have IPSec tunnel 0 UP but no 0 and 1-tunnel at the same time tunnel. Make sure you have the word of shared key on the hub, router that you use the same source for the two IPSec tunnel IP address.
This message means the IKE database between two routers is out of sync, but should recover on its own.
HTH
Laurent.
-
FlexVPN has spoke-to-Spoke routing Override loop
I have a router spoke, that hat of router routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the transfer network):
IP route 192.168.1.0 255.255.255.0 10.1.1.1
After active the FlexVPN I get the substitution of routing, and routing is 192.168.1.0 255.255.255.0 tunnel0 in Soke-router. I lost the right path, and I get the loop to the center of 192.168.1.0.
How can I leave the router spoke to ignore the routing itself from the Center?
One was would be to increase the distance of the routes from the hub.
http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/security/M1/sec-M1-CR-b...
-
DMVPN Tunnel and EIGRP routing problem
I have redundant paths to a remote 2811 router on my network of sites. The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.
I'm under EIGRP to my process of routing protocol 100 for the two links.
I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site. The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.
However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.
What I'm missing here?
A tunnel0 to see the shows the following:
Tunnel0 is up, line protocol is up
Material is Tunnel
The Internet address is 10.x.x.x/24
MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
KeepAlive not set
Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
Tunnel/GRE/IP transport protocol
Key 0x186A0, sequencing of the people with reduced mobility
Disabled packages parity check
TTL 255 tunnel
Quick tunneling enabled
Tunnel of transmission bandwidth 8000 (Kbps)
Tunnel to receive 8000 (Kbps) bandwidth
Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
Last entry of 00:00:01, exit ever, blocking of output never
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
Strategy of queues: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
packages of 880, 63000 bytes, 0 no buffer entry
Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
output of 910 packages, 81315 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
output buffer, the output buffers 0 permuted 0 failuresPlease go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.
Federico.
-
Double trouble: email design and re Captcha
Hello
Usually I can do something that I need Muse and now I have reached a point where I don't know what to do. I had two problems, and the two are connected with the Muse e-mail forms.
(1) the design of the email I receive from my form.
I found patterns for automation of notification emails that sender of the form receives after submitting the form and I've been able to re - design the model. Now, I want to re-design of the email I receive from the form. So far, I still get email pre Business Catalyst, two gray stripes with the contents of the form in the meantime. Given that I have am building site for a client and don't want them to read the Business Catalyst "ads" in the mail, I would like to be able to re - design this email in the same style as I did with the autoresponder. Where can I do this?(2) since I redesigned my autoresponder, re Captcha stop working. When I used the form "such what ' with models of preformatted e-mail from Adobe, re Captcha worked fine. Now, with the answering machine model has changed, I re Captcha error message whenever I try to send the form. I went to BC Captcha and everything works fine, but I really want to use re-Captcha.
More funny thing is: when you submit with re Captcha, disappears from the page itself, I get redirected to my automatic response email template where the Captcha message error object is displayed instead of text on the form. I already trried reloading re Captcha, the entire page, even quit and restarted my browser. As soon as I change the answering machine model, re Captcha does not work anymore.
Any help and ideas would be greatly appreciated!
Hello
To answer your questions:
1. you can change the email you receive when someone send form on your site from Site Manager > email system > notification of workflow.
2. change the answering machine should not affect re-captcha, unless you changed something in the code for the form. BC also has the possibility of re-captcha for forms. You can use it too.
Kind regards
Aish
-
Tunnel of speaks of talking DMVPN routing via hub
I have a DMVPN network with several linked sites and everything works fine, with one exception. Two sites (which can connect spoke to speak perfectly well to all other spoke routers in the network) can not directly connect and route the traffic through the hub. Routing tables (EIGRP) you will see the routes are properly being announced, however see the PNDH ip indicates the following
Router 1 (spoke router initiateing the connection)
10.31.248.246/32 by 10.31.248.246, created Tunnel10 00:00:25, expire 00:09:34
Type: dynamic, flags: implicit router
The NBMA Address: * address of Router 2 *.
(non-socket)
2 router (router talk recipient)
10.31.248.244/32 via 10.31.248.244
Tunnel10 created at 00:01:53, expire 00:01:12
Type: dynamic, flags: temporary
The NBMA Address: * address of our server DMVPN router *.
Any help to fix this would be extremely appreciated because the two offices are in Asia and our server router is the United States which means a round-trip time which should be approximately 50 ms between those offices is actually taking more than 400 ms
Hello
What happens, is that ROUTER1 already resolved correctly ROUTER2 via PNDH, but for some reason any cannot establish IPsec to send a response of PNDH to Router 2.
Can you check if ISAKMP/IPsec between these two routers trying to establish when you ping from one side to the other? My guess is you'll see MM_NO_STATE ;-)
M.
-
With a dynamic IP address DMVPN spoke
A DMVPN Hub-and-Spoke scenario. Hub is in HQ Corporate whileSpokes are based on Internet only. No idea how I could establish peering relationship if the rays are assigned dynamic IP address? He should learn via PNDH?
I wonder how Zero Touch (ZTD) deployment point in the documentation for the rays...
Hello Gerard,.
While the CENTER should have a static IP address, speak it may have a dynamic IP, this isn't a problem.
The hub is called a NHS (the next hop server). Basically, when the RADIUS will bring up the tunnel, he is recorded to the NHS via PNDH, so the hub will be a dynamic mapping of public IPs private rays.
The only thing is that you must manually set the address IP of NHS at the rays so that they can register.
Hope this helps.
-
Hello
I run a solution DMVPN mode double hub. I use EIGRP as Protocol routing between the hub and the spokes.
I know that the gre is pain most of the time, but we have to live with that. Although I had neighbors talk about EIGRP
stable for 8-9 weeks and other drop all the few weeks that I realized 2 days all EIGRP neighbors dropped simultaneously
in the two centres.
On each RADIUS, I run a phase commune 1 for the VPN, but different phase 2 of people who know well the DMVPN th know what I mean.
HUBs located in different areas and it was not issue of bandwidth to assign the two hubs at the same time. Its really something
with protocols that use the DMVPN or EIGRP.
I saw DMVPN drops I saw only the EIGRP neighborship declined for all rays in both same time centers. Any suggestions
Why EIGRP failed?
It could be something with PNDH or an IOS bug;
iOS c800-universalk9 - mz.spa.153 - 3.m.bin
Please don't ask me basic troubleshooting, connectivity or timers. I'm looking for an advanced suggestion I have solved many problems DMVPN
which cisco even could not find.
I am looking forward to good suggestion and thank you for taking the time to consider the issue.
Kind regards
Spyros
Hello
«Do not forget that it is a design talk to speak.» Talk about communication talk goes staright away. DMVPN creates a dynamic tunnel between them and does not have the traffic via the HUB. »
I think I disagree with you here cordially with these instructions next hop and split horizon of eigrp on shelves
Rays set in fact tunnels between them however I'm being understood that the PNDH Rais of first need to query the cache of the PNDH server for the ip address of 'inside' to speak it it wants to connect to check the accessibility of the address of tunnel - I can't see or understand now why this requirement is also necessary on the rays.
When you say adjacencies eigrp lowered at the same time - we are still not sure, this is due to some partial failure that has been found to ask, but I think for all rollover between hubs eigrp to work they must have potential successors then do these show upward in the topology tables? -Maybe you had a situation where the two hubs became State SIA and dropped?
One last thing for a DWVPN mesh (talk to speaks) don't is not PKI is necessary and not pre-shared key and you say said cisco iOS has been or use cordially IPSec/gre is buggy what they suggest to make? As in your last post, you say that you sorted.
RES
PaulSent by Cisco Support technique iPad App
-
Hello together,
I have a dmvpn with double hub and ospf configuration.
I had we spoke and now has added another spoke. but I don't want the two rays to open a tunnel between them, I want that all traffic passing through the hub.
with "mode gre ip tunnel" on a RADIUS the RADIUS do nothing, I don't see the 2 hubs like ospf neighbors more. the hubs are configured as follows:
interface Tunnel0
bandwidth 100000
172.16.5.1 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
test of PNDH IP authentication
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 600
dissemination of IP ospf network
IP ospf priority 2
delay of 1000
source of tunnel GigabitEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec profile protection profile
endand the rays:
interface Tunnel0
VPN description
bandwidth 1000
IP 172.16.5.13 255.255.255.0
no ip redirection
IP 1400 MTU
NAT outside IP
test of PNDH IP authentication
map of PNDH IP multicast XXX1<-official ips="" of="" the="" hubs="">-official>
intellectual property PNDH map 172.16.5.1 XXX1
map of PNDH IP multicast x.x.x.2
property intellectual PNDH card 172.16.5.2 x.x.x.2
PNDH id network IP-100000
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 172.16.5.1
property intellectual PNDH nhs 172.16.5.2
IP virtual-reassembly in
dissemination of IP ospf network
IP ospf priority 0
IP ospf cost 5000
delay of 1000
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec profile protection profileI saw roads since we talked to another speaks so I did a routemap of filtering that routes in the routing table, it takes default route hub and does not speak but they always try to open a tunnel between them which is blocked by the incomg acl, so traffic flows as it should , but I don't want the rays always trying to open a tunnel, they shouldn't be. I just want dmvpn phase 1
Please try 'ip ospf point-to-multipoint network' on all routers of the star topology.
In addition, it would be useful that you can post the config ipsec part (less any info security).
Good luck with your configuration.
-
I have a phase 2 network with routers spoke about 40 and routers DMVPN hub double. 90% of this works very well. However, I have 3 or 4 of the spoke routers that are unable to communicate with each other directly (traffic is via the router hub between these specific sites) but they are able to coomunicate directly with other routers 35 or more. I think it's a question of PNDH, as when I show in detail PNDH ip on one of these 4 routers, 3 other routers present a (without plug) input. I am able to erase that 'sometimes' by Claire ip PNDH. Whenever the (not scoket) input y at - he speaks of talking communication does not work. Any help would be greatly appreciated.
Have you checked this CSCsw18019 bug
Communication of talking - talking about passing THE by hub if PNDH cache authors.
-
Address problem Source DMVPN Dual-Cloud
Greetings,
I run a pivot single double-cloud DMVPN in operation phase2 (talk-to-spoke active). I am very surprised that the question does not come upwards more often.
Here is my configuration:
Each station has its own ISP.
Each remote site has a single router connected to ISP (interface1 and interface2) 2
Each head of public-IP network is routed static (/ 32) through a single interface.
The default route is floating based on an IP SLA monitoring mechanism.
Note the following image (showing the host routes) static and default
With the two routes by default the value of the interface making DMVPN-X, a spoke-to-spoke on DMVPN-X works well. But what of the talk-to-spoke out DMVPN? It gets broken in the following way:
At Site A, my TunnelY Interface come from 10.2.0.2. After it to Site B; s public IP (10.4.0.2) via PNDH, he's trying to form a tunnel spoke to rays. But how to get to 10.4.0.2? It uses its default route on the 10.1.0.2 interface with address 10.2.0.2 source. A few things can happen:
(1) ISP blocks the bad sources completely, either explicitly or through uRPF.
(2) talking-to-Spoke Tunnel arrives, but assymetic routing is performed (this is rare)
(3) all sources of the ISP Nat to himself (gateways Comcast SMC this) in the example above, you see 10.1.0.1 crypto packages arriving at 10.4.0.2! Imagine the confusion caused
In most cases, isakmp is watered. Even if the tunnel is in place, I don't want to assymetic shaping with all the bandwidth on a single interface - I like to use actively both ISP connections.
Then... How to handle this? I predicted it, but I thought that the mechanism of the PNDH/DMVPN would deal with this situation. that is if I hear one speak via TunnelY and TunnelY is source on Interface2, it would naturally be to send packets on interface2. Alas, this isn't the case.
Here are some ways that I thought to solve:
(1) because my end points are not dyamic, I could host statically road all rays are out all the interface2s, all the X on the interface1s. (with 30 sites, it's so ugly, that I hesitate to even include it)
(2) road map of each external interface and match against the source address. If interface1 detects a source interface2, set-next-hop to interface2. The same thing on interface2 - if she hears a source corresponding to the IP address of interface1, value jump following interface1. It is repeatable, but looks a bit ugly as well.
(3) poster on the forums of Cisco and see what the consensus is
Thank you much in advance. Here are my configs sites speaks if you need:
Example of use of site A above:
(using the PKI for isakmp)
interface TunnelX
bandwidth 10000
IP 192.168.X.13 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP [redact]
map of PNDH IP 1.1.1.1 multicast
PNDH IP card 192.168.X.1 1.1.1.1
PNDH IP network id X
property intellectual PNDH holdtime 240
property intellectual PNDH nhs 192.168.X.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key X
Tunnel DMVPN_IPSEC ipsec protection profile
!interface TunnelY
bandwidth 10000
IP 192.168.Y.13 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP [redact]
map of PNDH IP multicast 2.2.2.2
PNDH IP card 192.168.Y.1 2.2.2.2
PNDH IP network id Y
property intellectual PNDH holdtime 240
property intellectual PNDH nhs 192.168.Y.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/2
multipoint gre tunnel mode
tunnel key Y
Tunnel DMVPN_IPSEC ipsec protection profile
!Route IP 1.1.1.1 255.255.255.255 10.1.0.1
IP route 2.2.2.2 255.255.255.255 10.2.0.1
IP route 0.0.0.0 0.0.0.0 10.1.0.1 Track1
IP route 0.0.0.0 0.0.0.0 10.2.0.1 250 (for failover if track 1 breaks down)
This is usually resolved by separating the ISP in before VRF (keeping global VRF inside if you chose to), allowing both titled tracks.
It's late (almost 1:00) but I think that tunnel road-via could potentially work too.
-
Changes of State DMVPN intermittent dmvpn
We run a double DMVPN hub and spoke configuration using the router ASR for hubs and 2811 routers for the spoke routers. Have passed us recently 3000 remote sites and discovered a problem in which we struggle with. On some routers spoke (we don't know for sure how much), we see that the show in some cases dmvpn responds with IKE or PNDH with one of the peers hub (see below)
Ro1-13349 #sho dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer
UpDn time--> upward or down time for a Tunnel
==========================================================================Interface: Tunnel1, IPv4 PNDH details
IPv4 recording timer: 30 secondsIPv4 NHS: 10.1.0.1 RE
Type: talk, Total NBMA peers (v4/v6): 1# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb target network
----- --------------- --------------- ----- -------- ----- -----------------
1 A.B.C.D 10.1.0.1 UP 6d14h S 10.1.0.1/32Interface: Tunnels2, IPv4 PNDH details
IPv4 recording timer: 30 secondsIPv4 NHS: 10.2.0.1 E
Type: talk, Total NBMA peers (v4/v6): 1# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb target network
----- --------------- --------------- ----- -------- ----- -----------------
1 A.B.C.D 10.2.0.1 IKE 3w6d S 10.2.0.1/32The State gets between IKE and PNDH and upward. We captured the data from our 3000 connections 3 times + and we saw about 15 to 20 on each capture data with 1 location that was on every list.
Is there an extra logging that can help determine the cause? We have recently added dmvpn logging on 32 branches and the typical message we see is as follows
Apr 4 10:34:29.619 CDT: % DMVPN-5-NHRP_NHS: tunnels2 10.2.0.1 is DOWN
Apr 4 10:35:53.048 CDT: % DMVPN-3-NHRP_ERROR: registration failed for on tunnels2 10.2.0.1In some cases, we get the following
Apr 4 14:28:40.558 CDT: % DMVPN-7-CRYPTO_SS: tunnels2 - A.B.C.D socket is BROKEN
Compensation crypto sessions or a tap continuously on the tunnel has rarely solves the problem. If the problem returns. We use a mixture of pre-shared key and CA cryptographic authentication. We use Version 12.4 (24) T1 as IOS based on other issues.
Please provide any idea that you may have on this type of problem. I'll add more as discover us more information and has no relevant data to add.
ERP,
I'm afraid that my expertiese lies in troubleshooting, rather than surveillance.
SNMP is an option? (I don't think there's much tagetted for DMVPN)
I thought something similar to this:
(although not sure how well ASR suppoorts this)
Regarding conditional debugging and debugging at all.
There is a debugging, you can generally activate "debug crypto isa err" which displays only the parts of the IKE negotiation error without risk.
For conditional debugging. We can narrown down particular peer VRF interfaces or even particular debugging connections - this however would require that we already know if / what specific rays are affected more than others.
PINGER#debug nhrp condition ?
interface based on the interface
peer based on the peer
vrf based on the vrfand
PINGER#debug crypto condi ?
connid IKE/IPsec connection-id filter
fvrf Front-door VRF filter
isakmp Isakmp profile filter
ivrf Inside VRF filter
local IKE local address filter
peer IKE peer filter
reset Delete all debug filters and turn off conditional debug
spi SPI (Security Policy Index) filter
unmatched Output debugs even if no context available
username Xauth or Pki-aaa username filterI trust mainly "debug crypto condition homologous ipv4.
Marcin
-
Hello
I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.
When I do a ping on the spoker to the hub like this:
ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.
Spoker newspaper I have this message:
% DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination
I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success
But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?
I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...
Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.
Thank you
MTU must be set on the interface of tunnel for the hubs and spockes.
If you want to save bits, you can even use transport mode instead of tunnel of fashion.
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
Maybe you are looking for
-
How to turn on a wireless network card on a Satellite 3000 514 without hardware switch?
I have a 3000-514 Satellite. This laptop has an internal mini PCI slot. Recently, I bought an Intel PRO/Wireless 2200BG wireless mini PCI card. The drivers have been installed correctly. The computer has detected the card and the condition of the equ
-
Satellite L500D - 16L - how to identify the AHCI controller?
I try to install Windows XP on L500D - 16L. I used Nlite to integrate the si3112 drivers contained in the folder SATA driver to view shown for this model as well as the smbus driver which was offered elsewhere. I also tried using a virtual floppy dri
-
Satellite A200 - BIOS update and fan activity
Hello.. I have the Satellite A200-1AH (PSAE6E). I have installed the version of the BIOS 2.10 update and electric fans started working out loud. I want to install v1.30 BIOS (the best for me) but I can't find it anywhere. Can you help me please? I no
-
Hi all I need your help... Who has experience with Aspire V3 - 571 G. I'm looking for the more stable realible, drivers NVIDIA for Windows 10. The truth is, that I installed the update of the anniversary and that big problem. When I got Windows 7, wh
-
For microsoft office 3,1,5 avery Wizard software installation cannot find Microsoft Word
Original title: the software installation wizard for microsoft office 3,1,5 avery will install on vista home basic. error comes up cannot find microsoft word. what I'm doing. as I mentioned above, I can not install avery Office Assistant 3,1,5 will n