DMVPN Phase II flow by HUB

Hello!
I have a questions about the phase II of DMVPN.
-Why the first packets between the spokes will be flow through hub? How can I influence the quantity of this package, or at the time of this kind of flow direction?
-It is mandatory to use no next hop eigrp is itself and no ip split horizon on Hub only, or the rays also?

Thank you!

It is not a three minutes, but up to three minutes if no IPSec tunnel don't talk-to-spoke cannot be established. Once the resolution PNDH finished, which is usually after only a few packets, the traffic is routed normally, and not by the hub. If the tunnel can be established for a reason, everything continues to go through the hub. All this is done for if ensure that there is no loss of connectivity in the initial installation or because of access problems speaking.

In regards to the cache does not not not in the Center, my guess would be that this is done to ensure that connectivity is always to the rays before providing information that make authorities to the other nodes in the network, but it's speculation.

Tags: Cisco Security

Similar Questions

  • DMVPN Phases

    I'm a little confused now, because I realized that I can't understand DMVPN phases.

    Can someone explain to me - what is the difference between Full-Terminal and Hub-and-Spoke network.

    (1) network hub-and-Spoke - all traffic DMVPN through HUB. is it not? and the difference between dynamic and static VPN is that IPSec tunnels are only created when necessary?

    (2) network terminal full - rays ask for the PNDH table hub and establish direct tunnels (traffic passes of talk of talks about his)?

    When this information is correct, so where can I find a guide to configuring DMVPN in mesh network full?

    I found this guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml , but it seems to me, this is example of Hub-and-Spoke!

    I thank very you much in advance!

    Hi Dimitri.

    Question 1:

    All traffic passes through HUB - OK

    The tunnels are only created when needed between rays - correct

    Question 2:

    Fix

    http://Cisco.com/en/us/Tech/tk583/TK372/technologies_white_paper09186a008018983e.shtml

    Please take a look at the link given above.

    Excerpt from the link above

    "PNDH offers the opportunity for the spoke routers learn dynamically outside physical interface other routers address talk network VPN." This means that a router speaks will be enough information to dynamically build an IPsec + tunnel love directly to the other spoke routers.

    The dynamic IP routing protocol running on the hub router can be configured to reflect the routes registered by one spoke back on the same interface for all other rays, but the leap following IP on these roads will usually be the hub router, not the router speaks where the hub has learned this route.

    The dynamic routing protocols (RIP, OSPF and EIGRP) need to be configured on the hub router to announce routes back to the love tunnel interface and define the next IP for the router hop speaks originating for the routes registered by one spoke when the road is called back to the other rays.

    Here are the requirements for Protocol routing configurations.

    RIP

    You should disable split horizon on the interface of tunnel love on the hub, otherwise, RIP will be registered through the love interface routes not regularize this same interface.

    No cutting of the ip horizon

    No other changes are needed. RIP will automatically use the original next IP Hop on the roads it advertises back on the same interface where she learned these routes.

    EIGRP

    You should disable split horizon on the interface of tunnel love on the hub, otherwise, EIGRP will broadcast routes recorded via the interface love not regularize this same interface.

    no ip split horizon eigrp

    By default, EIGRP will set the next hop IP for the router to hub for roads is advertising, even when advertising that these routes of return the same interface where he learns the. Therefore, you must in this case, the following configuration command to indicate to EIGRP to use the jump according to original when IP advertising of these roads.

    no ip next-hop-self eigrp

    Note: The no ip next-hop-self eigrp command will be available from Cisco IOS release 12.3 (2). For Cisco IOS versions 12.2 (13) T and 12.3 (2), you must do the following:

    * If the talk-to-spoke dynamic tunnels are not wanted, then the above command is not necessary.

    * If the talk-to-spoke dynamic tunnels are wanted, then you must use process switching on the interface of tunnel on the spoke routers.

    * Otherwise, you will need to use another protocol for routing on the DMVPN.

    OSPF

    Because OSPF is a routing protocol - the status of the connection, there is not any split horizon issues. Normally, for multipoint interfaces, you configure the OSPF network type to be point-to-multipoint, but this would entail OSPF add host routes to the routing on the spoke routers table. These host routes would cause packets to networks behind the other spoke routers to transmit via the hub, rather than directly transmitted to another talk. To work around this problem, configure the OSPF network type to be broadcast using the command.

    dissemination of IP ospf network

    You must also make sure that the hub, router will be the designated router (DR) for IPsec + love network. This is done by setting the priority OSPF is greater than 1 on the hub and 0 on the shelves.

    * Hub: ip ospf priorite2

    * Speaks: ip ospf priority 0

    * END OF THE SNIPPET *.

    Hope that explains.

    The rate of this post, if that helps.

    Gilbert

  • DMVPN Phase 3 double cloud has spoke-to-Spoke communication

    Hello

    I would like to confirm/verify if Phase 3 allows rays in different areas of DMVPN communicate directly or that there is the talking-DMVPN-A routed through hubs talk-DMVPN-B? Any document on EAC authoritative on this specific scenario is greatly appreciated.

    Thank you.

    -Mike

    Mike,

    I may be off, does not not with the VPN for a year now, but that's.

    It really depends on what is a domain for you. Remember that the ID Network PNDH is locally important.

    In the end even network ID allows PNDH requests jump between different tunnels.

    If the network ID is different then the 'domain' is different and PNDH must not circulate between.

    For the rest, he is based on the road, it's just a matter of making conscious design decisions prior to deployment and a few tests.

    M.

  • DMVPN with digital ceritificates and Hub acts as a CA server

    Hello guys,.

    is there anyway to configure the DMVPN with digital certificates and change the router Hub to act as a CA server?

    Thank you

    Yes, you can do it, go ahead and set up your router, Hub, with the normal DMVPN configuration so that it becomes the hub. After doing that follow the link below to add public key infrastructure server features:

    http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gt_ioscs.html

    And to register for the rays on the hub, use this link:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080210cdc.shtml

    Remember that regardless of the router Hub being the authority of CA, you must sign up for itself to allow the IKE PKI authentication.

  • DMVPN spoke with HSRP sells HUB

    I have a basic DMVPN with an IPSEC config protect profile.

    On the shelves, I use the VIP HSRP for (192.168.1.1) configuration and traffic stops treatment

    map of PNDH 10.29.32.1 IP 192.168.1.1

    If I use the real IP address of the HUB 192.168.1.2 interface, it works fine.

    I changed the mode of multipoint gre tunnel and changed to point to the real or VIP and seems not in line with the VIP HSRP.

    Is this a supported configuration, or am I missing something?

    The end result is routers DMVPN HUB running HSRP and we talked, pointing to the VIP address.

    I feel that, since then, IPSec, the communication breaks when you use the VIP

    Thank you

    Juan

    Spoke about config below

    interface Tunnel100

    Description

    bandwidth 6000

    IP 10.29.47.254 255.255.240.0

    no ip redirection

    IP 1400 MTU

    property intellectual PNDH authentication nhrpdomain

    map of PNDH IP 192.168.1.2 multicast

    map of PNDH 10.29.32.1 IP 192.168.1.2

    PNDH id network IP-100

    property intellectual PNDH holdtime 360

    property intellectual PNDH nhs 10.29.32.1

    IP tcp adjust-mss 1360

    load-interval 30

    QoS before filing

    source of tunnel GigabitEthernet0/2

    multipoint gre tunnel mode

    tunnel key 1000

    Protection ipsec DMVPN tunnel profile

    end

    Hello

    The hub does not generate the packages using the VIP.

    If the RADIUS is trying to connect to 192.168.1.1 while the hub will respond with 192.168.1.2.

    For redundancy, you can create two tunnels on the RADIUS. 1 for every router and use eigrp to decide the best option.

    You can still use hsrp to the internal network on the hubs (the network doesn't not facing rays) so the right router will be the gateway for internal routers.

  • Cisco series ASR DMVPN Phase 3 Support

    Hello

    You have an idea if the routers Cisco ASR takes in charge phase 3 of DMVPN recently? Or when they will support?

    Although there is no support for the ASR on Cisco documantations, you can see the shortcut commands and redirect PNDH

    on the IOS of the ASR. I have it configured, but it doesn't seem to work.

    Thank you very much

    Best regards

    3 phase DMVPN is supported from version 2.5 front.

    If you are already running this version or later, please kindly open a TAC case to better study the question.

  • DMVPN problem with 2 hubs

    Hello

    I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.

    command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.

    A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.

    What should be the reason and how to fix it?

    Sorry for my English, I'm new to dmvpn :)

    Thanks in advance.

    Hi George,.

    I see two possible event which would explain the behavior that you are experiencing.

    (a) change of State DMVPN.

    (b) change in the routing table.

    You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him.  To begin, you must make sure that the DMVPN stay in a stable 'up' State.

    You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.

    I suggest to consult a few details of useful troubleshooting here:

    http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...

    Take a look at these details:

    ~~~

    Interface: Tunnel100, IPv4 PNDH details
    Type: talk, PNDH peers: 2,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
    ----- --------------- --------------- ----- -------- -----
    1 192.168.1.1 172.28.1.1 UP 1d21h S
    1 192.168.1.2 172.28.1.2 UP 1d21h S

    ~~~

    You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.

    If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.

    If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable.  "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.

    There is a lot of support in my suggestions, because you have not posted the configuration :).

    But it would be useful that you post the config.  Good luck with your efforts.

    Thank you

    re775

  • Is it possible to use hub dual double cloud in Phase 1 DMVPN?

    Hello, I'm studying DMVPN in Phase 1. I'm doing a lab where I have 2 hubs and 2 spokes connected through 2 providers. In DMVPN phase 1, what I understand, destined for the tunnel must be configured manually (gre tunnel mode is point to point). But for each ray, I have 2 hubs. How can I specify addresses NBMA the two poles of the same tunnel interface IP spoke? I can only specify a single destination tunnel, then a hub.

    Hubs do not need four interfaces in this case, one by ISP is enough. You end up with the following connections by talk:

    Tun1-isps1 <->Tun1-isps1-Hub1
    Tun2-isps1 <->Tun1-isps1-Hub2
    Tun3-ISP2 <->Tun2-ISP2-Hub1
    Tun4-ISP2 <->Tun2-ISP2-Hub2

  • Migration phase 3 DMVPN with Central Hub

    I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?

    Kind regards

    Mike

    Mike,

    DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)

    That being said, the deployment is quite easy:

    -Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves

    -Redirect PNDH on the hubs.

    Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).

    Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.

    The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.

    M.

  • DMVPN problem

    Hello together,

    I have a dmvpn with double hub and ospf configuration.

    I had we spoke and now has added another spoke. but I don't want the two rays to open a tunnel between them, I want that all traffic passing through the hub.

    with "mode gre ip tunnel" on a RADIUS the RADIUS do nothing, I don't see the 2 hubs like ospf neighbors more. the hubs are configured as follows:

    interface Tunnel0
     
    bandwidth 100000
    172.16.5.1 IP address 255.255.255.0
    no ip redirection
    IP 1400 MTU
    test of PNDH IP authentication
    dynamic multicast of IP PNDH map
    PNDH id network IP-100000
    property intellectual PNDH holdtime 600
    dissemination of IP ospf network
    IP ospf priority 2
    delay of 1000
    source of tunnel GigabitEthernet0/0
    multipoint gre tunnel mode
    tunnel key 100000
    Tunnel ipsec profile protection profile
    end

    and the rays:

    interface Tunnel0
    VPN description
    bandwidth 1000
    IP 172.16.5.13 255.255.255.0
    no ip redirection
    IP 1400 MTU
    NAT outside IP
    test of PNDH IP authentication
    map of PNDH IP multicast XXX1<-official ips="" of="" the="" hubs="">
    intellectual property PNDH map 172.16.5.1 XXX1
    map of PNDH IP multicast x.x.x.2
    property intellectual PNDH card 172.16.5.2 x.x.x.2
    PNDH id network IP-100000
    property intellectual PNDH holdtime 300
    property intellectual PNDH nhs 172.16.5.1
    property intellectual PNDH nhs 172.16.5.2
    IP virtual-reassembly in
    dissemination of IP ospf network
    IP ospf priority 0
    IP ospf cost 5000
    delay of 1000
    source of Dialer1 tunnel
    multipoint gre tunnel mode
    tunnel key 100000
    Tunnel ipsec profile protection profile

    I saw roads since we talked to another speaks so I did a routemap of filtering that routes in the routing table, it takes default route hub and does not speak but they always try to open a tunnel between them which is blocked by the incomg acl, so traffic flows as it should , but I don't want the rays always trying to open a tunnel, they shouldn't be. I just want dmvpn phase 1

    Please try 'ip ospf point-to-multipoint network' on all routers of the star topology.

    In addition, it would be useful that you can post the config ipsec part (less any info security).

    Good luck with your configuration.

  • DMVPN QUESTION

    Hello

    I have deploy a dmvpn with two of the hub topology and several rays, after the spokes and the hub, I did a reboot in the hub to see if this drug works after rebbot in the hub, but I noticed that after the rebbot the tunnel in the hub is not come, the only way to raise the tunnel had to erase dmvpn static session in rays , during this time the hub to continue giving a message:

    ISAKMP: ignoring the request to send delete notify (no ISAKMP security association) src 213.10.10.10 dst 213.58.10.10.14 for SPI 0xC15C587F

    IOS:12.4.11 T 1

    2821

    2811

    Someone can help me.

    Thank you

    Hello

    Please make sure you have ISAKMP KeepAlive on the hubs and spokes, and once configured, please test again and see if it improves. What is happeneing is probably when the hub is restarted, speak it does not clear the tunnel is based on the SAs to timeout. When delete us the SAs on the RADIUS, the problem goes away. Configure ISAKMP KeepAlive should we work around this problem.

    HTH,

    Please rate if this can help.

    Kind regards

    Kamal

  • DELIVER the mutiple IVRF ASR1000 DMVPN

    Hi all

    I have a dmvpn design where the hub is a router asr 1000 with public static IP address and the rays with ADSL, the rays are the branch of individual customers (A and B) and I configured VRF housed in the HUB to separate networks, in the hub, I configured diferent tunnel for each customer with their VRF.

    Configuring DMVPN is ok in the HUB and SPOKES, the question is which works only for a single tunnel, when a tunnel stop in the HUB, the other tunnel up and backward.

    you have an idea for what happens?

    It's design

    Thank you all

    This is a very generic problem, we need more details - this is the State of the tunnel interface that descends or IPsec breaks down or no PNDH mappings are possible?

    In my view, it is preferable that you open a TAC case to study.

    M.

  • DMVPN with invalid SPI recovery / DPD

    Dear Experts,

    I'm evaluating a networks of average design company DMVPN Phase 2 scope, trying to optimize the time of receovery after a failure and restoration of a DMVPN counterpart.

    1. I just spent through a PDF of Cisco Live at a workshop of 2011 named "Advanced Concepts of DMVPN - BRK 4052".

    It is said (without further explanation) that the invalid SPI recovery feature is not useful with DMVPN.

    Can anyone explain, why?

    2 DMVPN involves the use of the Tunnel (TP) Protection. I read the reviews that say that you can not use Dead Peer Detection (DPD) as well as the TP.

    Unlike these reviews, Cisco DMVPN V1.1 design guide recommends a configuration container:

    ISAKMP crypto keepalive 10

    That means, I have to use DPD, but without "periodicals" KeepAlive? If so, could you explain?

    Thank you very much!

    Dear Sebastian,

    1 SPI recovery means essentially that the answering router must meet the same initiator VPN router if the SPI was invalid, the response of the intervener would be an 'invalid' error to the initiator VPN.

    Why it is not recommended for DMVPN?

    Well, according to the previous description of SPI, imagine if someone upsets your router with rogue applications! with the resumption of active SPI, it means that your router would need to respond to all messages which he received with the message "Invalid Error", which basically means--> attack (Denial of Service Attack) back--> high CPU processing on your router.

    http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

    How is it that relates to DMVPN?

    Well! DMVPN is mainly deployed with large number of rays! and even if no one attacks you! your rays can attack you

    2. I don't think that having periodic KeepAlive is what we hear in the comments on demand or periodic KeepAlive is not really effect DMVPN.

    I don't know what are the comments you've read, but I think you can use DPD! There have been some incompatabilites filed for tunnel KeepAlive, but as far as I know, nothing major was filed against ISAKMP KeepAlive.

    HTH!

    AMatahen

  • Spoke1 to Spoke2 slow network network

    DMVPN configuration.

    LAN to LAN Hub devices spoke both 60ms ping.

    Spoke1 LAN Spoke2 LAN times 110ms 1000ms ping devices.

    When I ping addresses it love of routers. I can ping to 30-45ms unless I ping from the own IP address of routers, then he replies to a reply of 90ms. significance:

    Spoke1 to Spoke2 = 40ms

    Spoke1 to the hub = 35ms

    Spoke2 to the hub = 35ms

    Spoke1 to self = 90ms

    Spoke2 to self = 90ms

    Config HUB:

    door-key crypto Cisco

    pre-shared key address 0.0.0.0 0.0.0.0 key KeyA

    !

    Crypto ipsec transform-set esp-3des SHA13-ESP-3DES esp-sha-hmac

    transport mode

    !

    Crypto isakmp Cisco profile

    key chain Cisco

    function identity address 0.0.0.0

    !

    Profile of CISCO ipsec crypto

    game of transformation-ESP-3DES-SHA13

    Cisco isakmp-profile set

    !

    interface Tunnel0

    Hub description

    bandwidth 4000

    IP 10.151.151.1 255.255.255.248

    no ip redirection

    IP mtu 1416

    the PNDH IP Cisco authentication

    dynamic multicast of IP PNDH map

    PNDH id network IP-100000

    property intellectual PNDH holdtime 360

    IP tcp adjust-mss 1360

    no ip split horizon eigrp 1

    delay of 1000

    source of tunnel GigabitEthernet0/0

    multipoint gre tunnel mode

    tunnel key 100000

    Tunnel ipsec CISCO protection profile

    !

    interface GigabitEthernet0/0

    Hub description

    inherit the bandwidth

    address IP A.A.A.A 255.255.255.252

    Check IP unicast reverse path

    NAT outside IP

    IP virtual-reassembly

    route IP cache flow

    automatic duplex

    Speed 100

    media type rj45

    auto negotiation

    !

    Router eigrp 1

    Network 10.3.3.0 0.0.0.255

    Network 10.150.150.0 0.0.0.255

    Network 10.151.151.0 0.0.0.7

    network 192.168.27.0

    No Auto-resume

    SPOKE1 config:

    ISAKMP crypto key KeyA address 0.0.0.0 0.0.0.0

    !

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    transport mode

    !

    Profile of CISCO ipsec crypto

    game of transformation-ESP-3DES-SHA

    !

    interface Tunnel0

    Description SPOKE1

    bandwidth 4000

    IP 10.151.151.2 255.255.255.248

    no ip redirection

    IP mtu 1416

    no ip next-hop-self eigrp 1

    the PNDH IP Cisco authentication

    intellectual property PNDH map 10.151.151.1 A.A.A.A

    map of PNDH IP multicast A.A.A.A

    PNDH id network IP-100000

    property intellectual PNDH holdtime 360

    property intellectual PNDH nhs 10.151.151.1

    IP tcp adjust-mss 1360

    no ip split horizon eigrp 1

    delay of 1000

    source of tunnel GigabitEthernet0/1

    multipoint gre tunnel mode

    tunnel key 100000

    Tunnel ipsec CISCO protection profile

    !

    interface GigabitEthernet0/1

    Description SPOKE1

    address IP B.B.B.B 255.255.255.252

    NAT outside IP

    IP virtual-reassembly

    automatic duplex

    automatic speed

    media type rj45

    !

    Router eigrp 1

    Network 10.148.27.0 0.0.0.255

    Network 10.148.148.0 0.0.0.255

    Network 10.151.151.0 0.0.0.7

    No Auto-resume

    SPOKE2 config:

    ISAKMP crypto key KeyA address 0.0.0.0 0.0.0.0

    !

    Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

    transport mode

    !

    Profile of CISCO ipsec crypto

    game of transformation-ESP-3DES-SHA1

    !

    interface Tunnel0

    Description SPOKE2

    bandwidth 4000

    IP 10.151.151.3 255.255.255.248

    no ip redirection

    IP mtu 1416

    no ip next-hop-self eigrp 1

    authentication of the PNDH IP Rentsys

    map of PNDH IP multicast A.A.A.A

    intellectual property PNDH map 10.151.151.1 A.A.A.A

    PNDH id network IP-100000

    property intellectual PNDH holdtime 360

    property intellectual PNDH nhs 10.151.151.1

    IP tcp adjust-mss 1360

    no ip split horizon eigrp 1

    delay of 1000

    source of tunnel GigabitEthernet0/1

    multipoint gre tunnel mode

    tunnel key 100000

    Tunnel ipsec CISCO protection profile

    !

    interface GigabitEthernet0/1

    Description SPOKE2

    address IP C.C.C.C 255.255.255.252

    NAT outside IP

    IP virtual-reassembly

    route IP cache flow

    full duplex

    Speed 100

    media type rj45

    !

    Router eigrp 1

    passive-interface default

    no passive-interface Tunnel0

    Network 10.149.149.0 0.0.0.255

    Network 10.151.151.0 0.0.0.7

    No Auto-resume

    I did a trace on a network device to talk 1 to a device on the network Spoke 2. I noticed that the trace route goes through the love and hops to the address of tunnel GRE HUB. Is this the way to go for this Setup?

    1 10.148.148.1 0 ms 0 ms 0 ms (internal address of the Router 1 spoke)
    2 10.151.151.1 50 ms 50 ms 51 ms (GRE 'outside' address of the HUB)
    3 10.151.151.3 109 MS 109 MS 109 ms (GRE 'outside' address of Router 2 spoke)
    4 10.149.149.254 109 msec * 109 msec (router device 2 spoke)

    Hello

    Spoke1 should send a request of PNDH to HUB and HUB answer with spoke2 mapping; After speaking should build a tunnel talk to rays and speaks of talking about traffic must use this tunnel.

    You have "no ip next-hop-self eigrp 1 ' configured in your hub tunnel interface?

    If your IOS is 12.4 (6) T or higher, you can consider using dmvpn phase 3.

    HTH,

    Lei Tian

  • DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X

    Hello world

    After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came.

    Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session " on the shelf often solves the problem. So, it seems that the question has something to do with IPSEC.

    When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub:

     Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):purging node 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:41 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP: set new node 3442686097 to QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 3442686097 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3442686097, sa = 0x7F72986867D0 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): DPD/R_U_THERE_ACK received from peer , sequence 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):deleting node 3442686097 error FALSE reason "Informational (in) state 1" Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:42 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A438 Jun 25 10:01:42 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:42 SUMMERT: ISAKMP:(46580):purging node 1111296046 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 928225319 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing SA payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Checking IPSec proposal 1 Jun 25 10:01:44 SUMMERT: ISAKMP: transform 1, ESP_AES Jun 25 10:01:44 SUMMERT: ISAKMP: attributes in transform: Jun 25 10:01:44 SUMMERT: ISAKMP: encaps is 2 (Transport) Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in seconds Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (basic) of 3600 Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in kilobytes Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 25 10:01:44 SUMMERT: ISAKMP: authenticator is HMAC-SHA Jun 25 10:01:44 SUMMERT: ISAKMP: key length is 256 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):atts are acceptable. Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local  /255.255.255.255/0, remote  /255.255.255.255/0, prot 47, ifc Tu3300 Jun 25 10:01:44 SUMMERT: IPSEC(recalculate_mtu): reset sadb_root 7F7292E64990 mtu to 1500 Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending Socket Ready message Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NONCE payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):QM Responder gets spi Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer  Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating profile-shared Tunnel3300 ident 7F7298B2BF80 with lookup_oce 7F7296BF5440 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x14F40C56(351538262), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27873 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x3B4731D7(994521559), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27874 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Received IPSec Install callback... proceeding with the negotiation Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Successfully installed IPSEC SA (SPI:0x14F40C56) on Tunnel3300 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 1979798297 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 1979798297 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 351538262, message ID = 1979798297, sa = 0x7F72986867D0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): deleting spi 351538262 message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 928225319 error TRUE reason "Delete Larval" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):peer does not do paranoid keepalives. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x3B4731D7) Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 1979798297 error FALSE reason "Informational (in) state 1" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:44 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A340 Jun 25 10:01:44 SUMMERT: IPSEC(key_engine_delete_sas): delete SA with spi 0x3B4731D7 proto 50 for  Jun 25 10:01:44 SUMMERT: IPSEC(update_current_outbound_sa): updated peer  current outbound sa to SPI 0 Jun 25 10:01:44 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending request for CRYPTO SS CLOSE SOCKET

     #sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112

    In addition, after you run "logging dmvpn rate-limit 20' on the hub

     %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:  NBMA: )

    On the talks both the following can be seen debugging as well:

     *Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.884: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.884: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Jun 25 09:17:26.884: ISAKMP:(1032):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Jun 25 09:17:26.940: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032): processing HASH payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032): processing SA payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032):Checking IPSec proposal 1 *Jun 25 09:17:26.940: ISAKMP: transform 1, ESP_AES *Jun 25 09:17:26.940: ISAKMP: attributes in transform: *Jun 25 09:17:26.940: ISAKMP: encaps is 2 (Transport) *Jun 25 09:17:26.940: ISAKMP: SA life type in seconds *Jun 25 09:17:26.940: ISAKMP: SA life duration (basic) of 3600 *Jun 25 09:17:26.940: ISAKMP: SA life type in kilobytes *Jun 25 09:17:26.940: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 25 09:17:26.940: ISAKMP: authenticator is HMAC-SHA *Jun 25 09:17:26.940: ISAKMP: key length is 256 *Jun 25 09:17:26.940: ISAKMP:(1032):atts are acceptable. *Jun 25 09:17:26.940: IPSEC(ipsec_process_proposal): proxy identities not supported *Jun 25 09:17:26.940: ISAKMP:(1032): IPSec policy invalidated proposal with error 32 *Jun 25 09:17:26.940: ISAKMP:(1032): phase 2 SA policy not acceptable! (local  remote ) *Jun 25 09:17:26.940: ISAKMP: set new node -1745931191 to QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 834718720, message ID = 2549036105 *Jun 25 09:17:26.940: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.940: ISAKMP:(1032):purging node -1745931191 *Jun 25 09:17:26.940: ISAKMP:(1032):deleting node 1599359281 error TRUE reason "QM rejected" *Jun 25 09:17:26.940: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 25 09:17:26.940: ISAKMP:(1032):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1 *Jun 25 09:17:34.068: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:34.068: ISAKMP: set new node 1021264821 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032): processing HASH payload. message ID = 1021264821 *Jun 25 09:17:34.072: ISAKMP:(1032): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1021264821, sa = 0x32741028 *Jun 25 09:17:34.072: ISAKMP:(1032):deleting node 1021264821 error FALSE reason "Informational (in) state 1" *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:34.072: ISAKMP:(1032):DPD/R_U_THERE received from peer , sequence 0x64B2279D *Jun 25 09:17:34.072: ISAKMP: set new node 716440334 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 834719464, message ID = 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032): seq. no 0x64B2279D *Jun 25 09:17:34.072: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:34.072: ISAKMP:(1032):purging node 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:35.356: ISAKMP:(1032):purging node 206299144

    Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken?

    Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug?

    The configuration of the hub looks like this:

     crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 3 periodic crypto isakmp nat keepalive 10 crypto isakmp profile ISP1-DMVPN keyring ISP1-DMVPN match identity address 0.0.0.0 ISP1-DMVPN keepalive 10 retry 3 crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile ISP1-DMVPN set transform-set AES256-SHA AES256-SHA-TRANSPORT set isakmp-profile ISP1-DMVPN vrf definition ISP1-DMVPN description DMVPN-Outside-ISP1 rd 65527:10 ! address-family ipv4 exit-address-family ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.71 description VPN;ISP1-DMVPN;Outside;VLAN71 encapsulation dot1Q 71 vrf forwarding ISP1-DMVPN ip address  255.255.255.128 no ip proxy-arp ip access-group acl_ISP1-DMVPN_IN in ! ip route vrf ISP1-DMVPN 0.0.0.0 0.0.0.0  name ISP1;Default ip access-list extended acl_ISP1-DMVPN_IN permit icmp any any permit esp any host  permit gre any host  permit udp any host  eq isakmp permit udp any host  eq non500-isakmp deny ip any any vrf definition 2010  description CUSTA - Customer A  rd 65527:2010 route-target export 65527:2010 route-target import 65527:2010 ! address-family ipv4 exit-address-family ! ! interface Tunnel2010 description CUSTA;DMVPN;Failover-secondary vrf forwarding 2010 ip address 10.97.0.34 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map multicast dynamic ip nhrp network-id 2010 ip nhrp holdtime 120 ip nhrp server-only ip nhrp max-send 1000 every 10 ip tcp adjust-mss 1340 tunnel source TenGigabitEthernet0/0/0.71 tunnel mode gre multipoint tunnel key 2010 tunnel vrf ISP1-DMVPN tunnel protection ipsec profile ISP1-DMVPN shared router bgp 65527 ! address-family ipv4 vrf 2010 redistribute connected metric 10 redistribute static metric 15 neighbor 10.97.0.39 remote-as 65028 neighbor 10.97.0.39 description spokerouter;Tunnel1 neighbor 10.97.0.39 update-source Tunnel2010 neighbor 10.97.0.39 activate neighbor 10.97.0.39 soft-reconfiguration inbound neighbor 10.97.0.39 prefix-list EXPORT-IVPN-VRF2010 out neighbor 10.97.0.39 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.39 maximum-prefix 5000 80 default-information originate exit-address-family

    Configuring spoke:

     crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp invalid-spi-recovery crypto isakmp profile DMVPN01 keyring DMVPN01 match identity address 0.0.0.0 keepalive 10 retry 3 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN01 set transform-set AES256-SHA-TRANSPORT set isakmp-profile DMVPN01 vrf definition inside rd 65028:1 route-target export 65028:1 route-target import 65028:1 ! address-family ipv4 exit-address-family ! interface Tunnel1 description DMVPN to HUB vrf forwarding inside ip address 10.97.0.39 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map 10.97.0.33  ip nhrp map multicast  ip nhrp map 10.97.0.34  ip nhrp map multicast  ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 10.97.0.33 ip nhrp nhs 10.97.0.34 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1340 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 2010 tunnel protection ipsec profile DMVPN01 shared router bgp 65028 ! address-family ipv4 vrf inside bgp router-id 172.28.5.137 network 10.97.20.128 mask 255.255.255.128 network 10.97.21.0 mask 255.255.255.0 network 10.97.22.0 mask 255.255.255.0 network 10.97.23.0 mask 255.255.255.0 network 172.28.5.137 mask 255.255.255.255 neighbor 10.97.0.33 remote-as 65527 neighbor 10.97.0.33 description HUB1;Tunnel2010 neighbor 10.97.0.33 update-source Tunnel1 neighbor 10.97.0.33 timers 10 30 neighbor 10.97.0.33 activate neighbor 10.97.0.33 send-community both neighbor 10.97.0.33 soft-reconfiguration inbound neighbor 10.97.0.33 prefix-list IROUTE-EXPORT out neighbor 10.97.0.33 maximum-prefix 5000 80 neighbor 10.97.0.34 remote-as 65527 neighbor 10.97.0.34 description HUB2;tunnel2010 neighbor 10.97.0.34 update-source Tunnel1 neighbor 10.97.0.34 timers 10 30 neighbor 10.97.0.34 activate neighbor 10.97.0.34 send-community both neighbor 10.97.0.34 soft-reconfiguration inbound neighbor 10.97.0.34 prefix-list IROUTE-EXPORT out neighbor 10.97.0.34 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.34 maximum-prefix 5000 80 exit-address-family

    If more information is needed, please say so.

    Any help or advice would be greatly appreciated!

    Thank you!

    It is possible that you touch it--the failure of negotiations of phase 2:

    https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr

    [Too little detail to say with certainty:]

    M.

Maybe you are looking for