DMVPN Phases

I'm a little confused now, because I realized that I can't understand DMVPN phases.

Can someone explain to me - what is the difference between Full-Terminal and Hub-and-Spoke network.

(1) network hub-and-Spoke - all traffic DMVPN through HUB. is it not? and the difference between dynamic and static VPN is that IPSec tunnels are only created when necessary?

(2) network terminal full - rays ask for the PNDH table hub and establish direct tunnels (traffic passes of talk of talks about his)?

When this information is correct, so where can I find a guide to configuring DMVPN in mesh network full?

I found this guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml , but it seems to me, this is example of Hub-and-Spoke!

I thank very you much in advance!

Hi Dimitri.

Question 1:

All traffic passes through HUB - OK

The tunnels are only created when needed between rays - correct

Question 2:

Fix

http://Cisco.com/en/us/Tech/tk583/TK372/technologies_white_paper09186a008018983e.shtml

Please take a look at the link given above.

Excerpt from the link above

"PNDH offers the opportunity for the spoke routers learn dynamically outside physical interface other routers address talk network VPN." This means that a router speaks will be enough information to dynamically build an IPsec + tunnel love directly to the other spoke routers.

The dynamic IP routing protocol running on the hub router can be configured to reflect the routes registered by one spoke back on the same interface for all other rays, but the leap following IP on these roads will usually be the hub router, not the router speaks where the hub has learned this route.

The dynamic routing protocols (RIP, OSPF and EIGRP) need to be configured on the hub router to announce routes back to the love tunnel interface and define the next IP for the router hop speaks originating for the routes registered by one spoke when the road is called back to the other rays.

Here are the requirements for Protocol routing configurations.

RIP

You should disable split horizon on the interface of tunnel love on the hub, otherwise, RIP will be registered through the love interface routes not regularize this same interface.

No cutting of the ip horizon

No other changes are needed. RIP will automatically use the original next IP Hop on the roads it advertises back on the same interface where she learned these routes.

EIGRP

You should disable split horizon on the interface of tunnel love on the hub, otherwise, EIGRP will broadcast routes recorded via the interface love not regularize this same interface.

no ip split horizon eigrp

By default, EIGRP will set the next hop IP for the router to hub for roads is advertising, even when advertising that these routes of return the same interface where he learns the. Therefore, you must in this case, the following configuration command to indicate to EIGRP to use the jump according to original when IP advertising of these roads.

no ip next-hop-self eigrp

Note: The no ip next-hop-self eigrp command will be available from Cisco IOS release 12.3 (2). For Cisco IOS versions 12.2 (13) T and 12.3 (2), you must do the following:

* If the talk-to-spoke dynamic tunnels are not wanted, then the above command is not necessary.

* If the talk-to-spoke dynamic tunnels are wanted, then you must use process switching on the interface of tunnel on the spoke routers.

* Otherwise, you will need to use another protocol for routing on the DMVPN.

OSPF

Because OSPF is a routing protocol - the status of the connection, there is not any split horizon issues. Normally, for multipoint interfaces, you configure the OSPF network type to be point-to-multipoint, but this would entail OSPF add host routes to the routing on the spoke routers table. These host routes would cause packets to networks behind the other spoke routers to transmit via the hub, rather than directly transmitted to another talk. To work around this problem, configure the OSPF network type to be broadcast using the command.

dissemination of IP ospf network

You must also make sure that the hub, router will be the designated router (DR) for IPsec + love network. This is done by setting the priority OSPF is greater than 1 on the hub and 0 on the shelves.

* Hub: ip ospf priorite2

* Speaks: ip ospf priority 0

* END OF THE SNIPPET *.

Hope that explains.

The rate of this post, if that helps.

Gilbert

Tags: Cisco Security

Similar Questions

DMVPN Phase II flow by HUB

Hello!
I have a questions about the phase II of DMVPN.
-Why the first packets between the spokes will be flow through hub? How can I influence the quantity of this package, or at the time of this kind of flow direction?
-It is mandatory to use no next hop eigrp is itself and no ip split horizon on Hub only, or the rays also?

Thank you!

It is not a three minutes, but up to three minutes if no IPSec tunnel don't talk-to-spoke cannot be established. Once the resolution PNDH finished, which is usually after only a few packets, the traffic is routed normally, and not by the hub. If the tunnel can be established for a reason, everything continues to go through the hub. All this is done for if ensure that there is no loss of connectivity in the initial installation or because of access problems speaking.

In regards to the cache does not not not in the Center, my guess would be that this is done to ensure that connectivity is always to the rays before providing information that make authorities to the other nodes in the network, but it's speculation.

DMVPN Phase 3 double cloud has spoke-to-Spoke communication

Hello

I would like to confirm/verify if Phase 3 allows rays in different areas of DMVPN communicate directly or that there is the talking-DMVPN-A routed through hubs talk-DMVPN-B? Any document on EAC authoritative on this specific scenario is greatly appreciated.

Thank you.

-Mike

Mike,

I may be off, does not not with the VPN for a year now, but that's.

It really depends on what is a domain for you. Remember that the ID Network PNDH is locally important.

In the end even network ID allows PNDH requests jump between different tunnels.

If the network ID is different then the 'domain' is different and PNDH must not circulate between.

For the rest, he is based on the road, it's just a matter of making conscious design decisions prior to deployment and a few tests.

M.

Cisco series ASR DMVPN Phase 3 Support

Hello

You have an idea if the routers Cisco ASR takes in charge phase 3 of DMVPN recently? Or when they will support?

Although there is no support for the ASR on Cisco documantations, you can see the shortcut commands and redirect PNDH

on the IOS of the ASR. I have it configured, but it doesn't seem to work.

Thank you very much

Best regards

3 phase DMVPN is supported from version 2.5 front.

If you are already running this version or later, please kindly open a TAC case to better study the question.

Is it possible to use hub dual double cloud in Phase 1 DMVPN?

Hello, I'm studying DMVPN in Phase 1. I'm doing a lab where I have 2 hubs and 2 spokes connected through 2 providers. In DMVPN phase 1, what I understand, destined for the tunnel must be configured manually (gre tunnel mode is point to point). But for each ray, I have 2 hubs. How can I specify addresses NBMA the two poles of the same tunnel interface IP spoke? I can only specify a single destination tunnel, then a hub.

Hubs do not need four interfaces in this case, one by ISP is enough. You end up with the following connections by talk:

Tun1-isps1 <->Tun1-isps1-Hub1
Tun2-isps1 <->Tun1-isps1-Hub2
Tun3-ISP2 <->Tun2-ISP2-Hub1
Tun4-ISP2 <->Tun2-ISP2-Hub2

Migration phase 3 DMVPN with Central Hub

I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?

Kind regards

Mike

Mike,

DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)

That being said, the deployment is quite easy:

-Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves

-Redirect PNDH on the hubs.

Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).

Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.

The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.

M.

DMVPN problem

Hello together,

I have a dmvpn with double hub and ospf configuration.

I had we spoke and now has added another spoke. but I don't want the two rays to open a tunnel between them, I want that all traffic passing through the hub.

with "mode gre ip tunnel" on a RADIUS the RADIUS do nothing, I don't see the 2 hubs like ospf neighbors more. the hubs are configured as follows:

interface Tunnel0

bandwidth 100000
172.16.5.1 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
test of PNDH IP authentication
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 600
dissemination of IP ospf network
IP ospf priority 2
delay of 1000
source of tunnel GigabitEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec profile protection profile
end

and the rays:

interface Tunnel0
VPN description
bandwidth 1000
IP 172.16.5.13 255.255.255.0
no ip redirection
IP 1400 MTU
NAT outside IP
test of PNDH IP authentication
map of PNDH IP multicast XXX1<-official ips="" of="" the="" hubs="">
intellectual property PNDH map 172.16.5.1 XXX1
map of PNDH IP multicast x.x.x.2
property intellectual PNDH card 172.16.5.2 x.x.x.2
PNDH id network IP-100000
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 172.16.5.1
property intellectual PNDH nhs 172.16.5.2
IP virtual-reassembly in
dissemination of IP ospf network
IP ospf priority 0
IP ospf cost 5000
delay of 1000
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec profile protection profile

I saw roads since we talked to another speaks so I did a routemap of filtering that routes in the routing table, it takes default route hub and does not speak but they always try to open a tunnel between them which is blocked by the incomg acl, so traffic flows as it should , but I don't want the rays always trying to open a tunnel, they shouldn't be. I just want dmvpn phase 1

Please try 'ip ospf point-to-multipoint network' on all routers of the star topology.

In addition, it would be useful that you can post the config ipsec part (less any info security).

Good luck with your configuration.

DMVPN problem with 2 hubs

Hello

I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.

command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.

A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.

What should be the reason and how to fix it?

Sorry for my English, I'm new to dmvpn :)

Thanks in advance.

Hi George,.

I see two possible event which would explain the behavior that you are experiencing.

(a) change of State DMVPN.

(b) change in the routing table.

You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him. To begin, you must make sure that the DMVPN stay in a stable 'up' State.

You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.

I suggest to consult a few details of useful troubleshooting here:

http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...

Take a look at these details:

~~~

Interface: Tunnel100, IPv4 PNDH details
Type: talk, PNDH peers: 2,.

# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.28.1.1 UP 1d21h S
1 192.168.1.2 172.28.1.2 UP 1d21h S

~~~

You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.

If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.

If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable. "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.

There is a lot of support in my suggestions, because you have not posted the configuration :).

But it would be useful that you post the config. Good luck with your efforts.

Thank you

re775

DMVPN with invalid SPI recovery / DPD

Dear Experts,

I'm evaluating a networks of average design company DMVPN Phase 2 scope, trying to optimize the time of receovery after a failure and restoration of a DMVPN counterpart.

1. I just spent through a PDF of Cisco Live at a workshop of 2011 named "Advanced Concepts of DMVPN - BRK 4052".

It is said (without further explanation) that the invalid SPI recovery feature is not useful with DMVPN.

Can anyone explain, why?

2 DMVPN involves the use of the Tunnel (TP) Protection. I read the reviews that say that you can not use Dead Peer Detection (DPD) as well as the TP.

Unlike these reviews, Cisco DMVPN V1.1 design guide recommends a configuration container:

ISAKMP crypto keepalive 10

That means, I have to use DPD, but without "periodicals" KeepAlive? If so, could you explain?

Thank you very much!

Dear Sebastian,

1 SPI recovery means essentially that the answering router must meet the same initiator VPN router if the SPI was invalid, the response of the intervener would be an 'invalid' error to the initiator VPN.

Why it is not recommended for DMVPN?

Well, according to the previous description of SPI, imagine if someone upsets your router with rogue applications! with the resumption of active SPI, it means that your router would need to respond to all messages which he received with the message "Invalid Error", which basically means--> attack (Denial of Service Attack) back--> high CPU processing on your router.

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

How is it that relates to DMVPN?

Well! DMVPN is mainly deployed with large number of rays! and even if no one attacks you! your rays can attack you

2. I don't think that having periodic KeepAlive is what we hear in the comments on demand or periodic KeepAlive is not really effect DMVPN.

I don't know what are the comments you've read, but I think you can use DPD! There have been some incompatabilites filed for tunnel KeepAlive, but as far as I know, nothing major was filed against ISAKMP KeepAlive.

HTH!

AMatahen

Spoke1 to Spoke2 slow network network

DMVPN configuration.

LAN to LAN Hub devices spoke both 60ms ping.

Spoke1 LAN Spoke2 LAN times 110ms 1000ms ping devices.

When I ping addresses it love of routers. I can ping to 30-45ms unless I ping from the own IP address of routers, then he replies to a reply of 90ms. significance:

Spoke1 to Spoke2 = 40ms

Spoke1 to the hub = 35ms

Spoke2 to the hub = 35ms

Spoke1 to self = 90ms

Spoke2 to self = 90ms

Config HUB:

door-key crypto Cisco

pre-shared key address 0.0.0.0 0.0.0.0 key KeyA

!

Crypto ipsec transform-set esp-3des SHA13-ESP-3DES esp-sha-hmac

transport mode

!

Crypto isakmp Cisco profile

key chain Cisco

function identity address 0.0.0.0

!

Profile of CISCO ipsec crypto

game of transformation-ESP-3DES-SHA13

Cisco isakmp-profile set

!

interface Tunnel0

Hub description

bandwidth 4000

IP 10.151.151.1 255.255.255.248

no ip redirection

IP mtu 1416

the PNDH IP Cisco authentication

dynamic multicast of IP PNDH map

PNDH id network IP-100000

property intellectual PNDH holdtime 360

IP tcp adjust-mss 1360

no ip split horizon eigrp 1

delay of 1000

source of tunnel GigabitEthernet0/0

multipoint gre tunnel mode

tunnel key 100000

Tunnel ipsec CISCO protection profile

!

interface GigabitEthernet0/0

Hub description

inherit the bandwidth

address IP A.A.A.A 255.255.255.252

Check IP unicast reverse path

NAT outside IP

IP virtual-reassembly

route IP cache flow

automatic duplex

Speed 100

media type rj45

auto negotiation

!

Router eigrp 1

Network 10.3.3.0 0.0.0.255

Network 10.150.150.0 0.0.0.255

Network 10.151.151.0 0.0.0.7

network 192.168.27.0

No Auto-resume

SPOKE1 config:

ISAKMP crypto key KeyA address 0.0.0.0 0.0.0.0

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

transport mode

!

Profile of CISCO ipsec crypto

game of transformation-ESP-3DES-SHA

!

interface Tunnel0

Description SPOKE1

bandwidth 4000

IP 10.151.151.2 255.255.255.248

no ip redirection

IP mtu 1416

no ip next-hop-self eigrp 1

the PNDH IP Cisco authentication

intellectual property PNDH map 10.151.151.1 A.A.A.A

map of PNDH IP multicast A.A.A.A

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 10.151.151.1

IP tcp adjust-mss 1360

no ip split horizon eigrp 1

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel ipsec CISCO protection profile

!

interface GigabitEthernet0/1

Description SPOKE1

address IP B.B.B.B 255.255.255.252

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

media type rj45

!

Router eigrp 1

Network 10.148.27.0 0.0.0.255

Network 10.148.148.0 0.0.0.255

Network 10.151.151.0 0.0.0.7

No Auto-resume

SPOKE2 config:

ISAKMP crypto key KeyA address 0.0.0.0 0.0.0.0

!

Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

transport mode

!

Profile of CISCO ipsec crypto

game of transformation-ESP-3DES-SHA1

!

interface Tunnel0

Description SPOKE2

bandwidth 4000

IP 10.151.151.3 255.255.255.248

no ip redirection

IP mtu 1416

no ip next-hop-self eigrp 1

authentication of the PNDH IP Rentsys

map of PNDH IP multicast A.A.A.A

intellectual property PNDH map 10.151.151.1 A.A.A.A

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 10.151.151.1

IP tcp adjust-mss 1360

no ip split horizon eigrp 1

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel ipsec CISCO protection profile

!

interface GigabitEthernet0/1

Description SPOKE2

address IP C.C.C.C 255.255.255.252

NAT outside IP

IP virtual-reassembly

route IP cache flow

full duplex

Speed 100

media type rj45

!

Router eigrp 1

passive-interface default

no passive-interface Tunnel0

Network 10.149.149.0 0.0.0.255

Network 10.151.151.0 0.0.0.7

No Auto-resume

I did a trace on a network device to talk 1 to a device on the network Spoke 2. I noticed that the trace route goes through the love and hops to the address of tunnel GRE HUB. Is this the way to go for this Setup?

1 10.148.148.1 0 ms 0 ms 0 ms (internal address of the Router 1 spoke)
2 10.151.151.1 50 ms 50 ms 51 ms (GRE 'outside' address of the HUB)
3 10.151.151.3 109 MS 109 MS 109 ms (GRE 'outside' address of Router 2 spoke)
4 10.149.149.254 109 msec * 109 msec (router device 2 spoke)

Hello

Spoke1 should send a request of PNDH to HUB and HUB answer with spoke2 mapping; After speaking should build a tunnel talk to rays and speaks of talking about traffic must use this tunnel.

You have "no ip next-hop-self eigrp 1 ' configured in your hub tunnel interface?

If your IOS is 12.4 (6) T or higher, you can consider using dmvpn phase 3.

HTH,

Lei Tian

Policy of ITS phase 2 ISAKMP DMVPN is not acceptable!

Hello world

I'm having toruble with a DMVPN basic configuration. In debugging I can see how ends the phase 1 ISAKMP, but they phase 2 proposal fails. It says something about a cryptomap that does not exist. I thought that with these configuration I have needs not a cryptomap. The configuration of routers and print screen debugging are attached. Any help would be popular.

Gustavo

Try this:

Crypto ipsec transform-set average esp-3des esp-md5-hmac

transport mode

Also, since both the rays and the hub are behind a NAT NAT - T, you'll need, so certainly don't turn it off.

Phase DMVPN I fail when migration of PSK to GIPR

I'm currently is the migration process of my network key preshared certificate DMVPN. Most of the rays have developed and works without any problem, but there are several that are not past the phase I. I have included the isakmp debug of the hub and one of the rays who fail. I see that the hub goes QM_IDLE after receiving the certificate of the talks, but it looks like not to speak it never receives the cert of the hub. I suspect a problem with the ISP, but it's not as simple as filtering 500 as seem to do all messages except the cert. If I bring him talking on PSK it works fine. Has anyone seen this problem before and what is the resolution?

DMVPN Hub
7 Oct 19:38:36.213: ISAKMP: 500 local port, remote port 500
7 Oct 19:38:36.213: ISAKMP: find a dup her to the tree during the isadb_insert his 7F1AA7CC5920 = call BVA
7 Oct 19:38:36.213: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.213: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
7 October 19:38:36.214: ISAKMP: (0): treatment ITS payload. Message ID = 0
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T RFC 3947
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T v7
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v3
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v2
7 Oct 19:38:36.214: ISAKMP: (0): pair found pre-shared key matching 2.8.51.58
7 October 19:38:36.214: ISAKMP: (0): pre-shared key local found
7 October 19:38:36.214: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (R) MM_NO_STATE (post 2.8.51.58)
7 October 19:38:36.214: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (R) MM_NO_STATE (post 2.8.51.58)
7 Oct 19:38:36.214: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
7 Oct 19:38:36.214: ISAKMP: 3DES-CBC encryption
7 Oct 19:38:36.214: ISAKMP: MD5 hash
7 Oct 19:38:36.214: ISAKMP: default group 1
7 Oct 19:38:36.214: ISAKMP: auth RSA sig
7 Oct 19:38:36.214: ISAKMP: type of life in seconds
7 Oct 19:38:36.214: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
7 Oct 19:38:36.214: ISAKMP: (0): atts are acceptable. Next payload is 3
7 Oct 19:38:36.214: ISAKMP: (0): Acceptable atts: real life: 0
7 Oct 19:38:36.214: ISAKMP: (0): Acceptable atts:life: 0
7 Oct 19:38:36.214: ISAKMP: (0): fill atts in his vpi_length:4
7 Oct 19:38:36.214: ISAKMP: (0): fill atts in his life_in_seconds:86400
7 October 19:38:36.214: ISAKMP: (0): IKE-> PKI start PKI Session state (R) MM_NO_STATE (post 2.8.51.58)
7 October 19:38:36.214: ISAKMP: (0): ICP-> IKE started PKI Session state (R) MM_NO_STATE (post 2.8.51.58)
7 Oct 19:38:36.214: ISAKMP: (0): return real life: 86400
7 Oct 19:38:36.214: ISAKMP: (0): timer life Started: 86400.
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T RFC 3947
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T v7
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v3
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v2
7 Oct 19:38:36.214: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.214: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
7 October 19:38:36.214: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
7 October 19:38:36.214: ISAKMP: (0): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
7 Oct 19:38:36.214: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.214: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.214: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2
7 Oct 19:38:36.240: ISAKMP (0): received 2.8.51.58 packet 500 Global 500 (R) sport dport MM_SA_SETUP
7 Oct 19:38:36.240: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.240: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3
7 October 19:38:36.240: ISAKMP: (0): processing KE payload. Message ID = 0
7 October 19:38:36.242: ISAKMP: (0): processing NONCE payload. Message ID = 0
7 October 19:38:36.242: ISAKMP: (38618): payload processing CERT_REQ. Message ID = 0
7 October 19:38:36.242: ISAKMP: (38618): peer wants a cert CT_X509_SIGNATURE
7 October 19:38:36.242: ISAKMP: (38618): peer wants cert issued by cn = Tetra Pak Root CA - G1
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): provider ID is DPD
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): addressing another box of IOS!
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): provider ID seems the unit/DPD but major incompatibility of 209
7 October 19:38:36.242: ISAKMP: (38618): provider ID is XAUTH
7 Oct 19:38:36.242: ISAKMP: receives the payload type 20
7 Oct 19:38:36.242: ISAKMP (38618): sound not hash no match - this node outside NAT
7 Oct 19:38:36.242: ISAKMP: receives the payload type 20
7 Oct 19:38:36.242: ISAKMP (38618): No. NAT found for oneself or peer
7 Oct 19:38:36.242: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.242: ISAKMP: (38618): former State = new State IKE_R_MM3 = IKE_R_MM3
7 October 19:38:36.243: ISAKMP: (38618): IKE-> PKI get configured TrustPoints State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): ICP-> IKE Got set up TrustPoints State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): IKE-> PKI obtain IssuerNames State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): ICP-> IKE got IssuerNames State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.243: ISAKMP (38618): construction CERT_REQ for issuer cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 October 19:38:36.243: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
7 Oct 19:38:36.243: ISAKMP: (38618): sending a packet IPv4 IKE.
7 Oct 19:38:36.243: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.243: ISAKMP: (38618): former State = new State IKE_R_MM3 = IKE_R_MM4
7 Oct 19:38:36.484: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport MM_KEY_EXCH
7 Oct 19:38:36.484: ISAKMP: (38618): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.484: ISAKMP: (38618): former State = new State IKE_R_MM4 = IKE_R_MM5
7 October 19:38:36.484: ISAKMP: (38618): payload ID for treatment. Message ID = 0
7 Oct 19:38:36.484: ISAKMP (38618): payload ID
next payload: 6
type: 2
FULL domain name: s2s-lvrirt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 42
7 October 19:38:36.484: ISAKMP: (38618): processing CERT payload. Message ID = 0
7 October 19:38:36.484: ISAKMP: (38618): treatment of a cert CT_X509_SIGNATURE
7 October 19:38:36.484: ISAKMP: (38618): IKE-> certificate PKI add the peer of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> certificate of the peer IKE Added State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): IKE-> PKI get PeerCertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> IKE got PeerCertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): pubkey from the counterpart is cached
7 October 19:38:36.485: ISAKMP: (38618): IKE-PKI > validate the chain of certificates of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> IKE Validate string certificates of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): failed to get the certificate DN!
7 October 19:38:36.485: ISAKMP: (38618): payload processing GIS. Message ID = 0
7 Oct 19:38:36.486: ISAKMP: received payload type 17
7 October 19:38:36.486: ISAKMP: (38618): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 0x7F1AA7CC5920
7 Oct 19:38:36.486: ISAKMP: (38618): SA authentication status:
authenticated
7 Oct 19:38:36.486: ISAKMP: (38618): SA has been authenticated with 2.8.51.58
7 Oct 19:38:36.486: ISAKMP: (38618): SA authentication status:
authenticated
7 October 19:38:36.486: ISAKMP: (38618): process of first contact.
lowering existing phase 1 and 2 with local 15.18.1.1 2.8.51.58 remote remote port 500
7 Oct 19:38:36.486: ISAKMP: (38617): received first contact, delete SA
7 Oct 19:38:36.486: ISAKMP: (38617): peer does not paranoid KeepAlive.
7 Oct 19:38:36.486: ISAKMP: (38617): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.486: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.486: ISAKMP: (38618): former State = new State IKE_R_MM5 = IKE_R_MM5
7 Oct 19:38:36.487: ISAKMP: node set 2177251913 to QM_IDLE
7 October 19:38:36.487: ISAKMP: (38617): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
7 Oct 19:38:36.487: ISAKMP: (38617): sending a packet IPv4 IKE.
7 Oct 19:38:36.487: ISAKMP: (38617): purge the node 2177251913
7 Oct 19:38:36.487: ISAKMP: (38617): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
7 Oct 19:38:36.487: ISAKMP: (38617): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI get self CertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): ICP-> IKE Got self CertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI obtain SubjectName State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): ICP-> IKE got SubjectName State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.487: ISAKMP: (38618): My ID configured as IPv4 address, but Addr not in Cert!
7 Oct 19:38:36.487: ISAKMP: (38618): using domain FULL as my ID name
7 Oct 19:38:36.487: ISAKMP: (38618): ITS been RSA authentication of signature using id ID_FQDN type
7 Oct 19:38:36.487: ISAKMP (38618): payload ID
next payload: 6
type: 2
FULL domain name: dmvpn-selurt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 44
7 Oct 19:38:36.487: ISAKMP: (38618): the total payload length: 44
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI is CertificateChain to be sent through peer review of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.488: ISAKMP: (38618): ICP-> IKE got CertificateChain to be sent through peer review of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.489: ISAKMP (38618): construction of CERT payload for hostname = selurt-dmvpn - 01.nvv .net .company .com, serialNumber = 4279180096
7 Oct 19:38:36.489: ISAKMP (38618): construction CERT payload for cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 October 19:38:36.489: ISAKMP: (38618): using the key of the TP_NAD_CA trustpoint to sign pair
7 October 19:38:36.494: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
7 Oct 19:38:36.494: ISAKMP: (38618): sending a packet IPv4 IKE.
7 Oct 19:38:36.494: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.494: ISAKMP: (38618): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
7 Oct 19:38:36.494: ISAKMP: (38617): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.494: ISAKMP: (38617): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.494: ISAKMP: (38617): former State = new State IKE_DEST_SA = IKE_DEST_SA
7 Oct 19:38:36.494: ISAKMP: (38618): IKE_DPD is enabled, the initialization of timers
7 October 19:38:36.494: ISAKMP: (38618): IKE-> end of the PKI public PKI Session state (R) QM_IDLE (post 2.8.51.58)
7 October 19:38:36.494: ISAKMP: (38618): ICP-> IKE session completed ICP State (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.494: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01 #.
7 Oct 19:38:36.494: ISAKMP: (38618): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
selurt-dmvpn-01 #.
7 Oct 19:38:46.492: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:38:46.492: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:38:46.492: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:38:46.992: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:38:46.992: ISAKMP (38618): increment the count of errors on his, try 1 5: retransmit the phase 1
7 October 19:38:46.992: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:38:46.992: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:38:46.992: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:38:56.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:38:56.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:38:56.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:38:56.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:38:56.981: ISAKMP (38618): increment the count of errors on his, try 2 of 5: retransmit the phase 1
7 October 19:38:56.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:38:56.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:38:56.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:06.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:06.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:06.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:06.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:06.981: ISAKMP (38618): increment the count of errors on his, try 3 of 5: retransmit the phase 1
7 October 19:39:06.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:06.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:06.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:09.880: ISAKMP: (38616): serving SA., his is 7F1AA7721158, delme is 7F1AA7721158
selurt-dmvpn-01 #.
7 Oct 19:39:16.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:16.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:16.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:16.980: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:16.980: ISAKMP (38618): increment the count of errors on his, try 4 out 5: retransmit the phase 1
7 October 19:39:16.980: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:16.980: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:16.980: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:26.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:26.482: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:26.482: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:26.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:26.981: ISAKMP (38618): increment the count of errors on his, try 5 of 5: retransmit the phase 1
7 October 19:39:26.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:26.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:26.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:36.493: ISAKMP: (38617): serving SA., his is 7F1AA79AD9E0, delme is 7F1AA79AD9E0

DMVPN speaks
7 October 19:38:36.181: ISAKMP: (0): profile of THE request is (NULL)
7 Oct 19:38:36.181: ISAKMP: created a struct peer 15.18.1.1, peer port 500
7 Oct 19:38:36.181: ISAKMP: new position created post = 0x2B1F480C peer_handle = 0x80001DF4
7 Oct 19:38:36.181: ISAKMP: lock struct 0x2B1F480C, refcount 1 to peer isakmp_initiator
7 Oct 19:38:36.181: ISAKMP: 500 local port, remote port 500
7 Oct 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
7 Oct 19:38:36.181: ISAKMP: find a dup her to the tree during the isadb_insert his 2B16C9FC = call BVA
7 Oct 19:38:36.181: ISAKMP: (0): cannot start aggressive mode, try the main mode.
7 Oct 19:38:36.181: ISAKMP: (0): pair found pre-shared key matching 15.18.1.1
7 October 19:38:36.181: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.181: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.181: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
7 October 19:38:36.181: ISAKMP: (0): built the seller-07 ID NAT - t
7 October 19:38:36.181: ISAKMP: (0): built of NAT - T of the seller-03 ID
7 October 19:38:36.181: ISAKMP: (0): built the seller-02 ID NAT - t
7 Oct 19:38:36.181: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
7 Oct 19:38:36.181: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
7 October 19:38:36.181: ISAKMP: (0): Beginner Main Mode Exchange
7 October 19:38:36.181: ISAKMP: (0): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_NO_STATE
7 Oct 19:38:36.181: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.205: ISAKMP (0): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_NO_STATE
7 Oct 19:38:36.205: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.205: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
7 October 19:38:36.205: ISAKMP: (0): treatment ITS payload. Message ID = 0
7 October 19:38:36.205: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.205: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.205: ISAKMP (0): provider ID is NAT - T RFC 3947
7 Oct 19:38:36.205: ISAKMP: (0): pair found pre-shared key matching 15.18.1.1
7 October 19:38:36.205: ISAKMP: (0): pre-shared key local found
7 Oct 19:38:36.205: ISAKMP: analysis of the profiles for xauth...
7 October 19:38:36.205: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.205: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 Oct 19:38:36.205: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
7 Oct 19:38:36.205: ISAKMP: 3DES-CBC encryption
7 Oct 19:38:36.205: ISAKMP: MD5 hash
7 Oct 19:38:36.205: ISAKMP: default group 1
7 Oct 19:38:36.205: ISAKMP: auth RSA sig
7 Oct 19:38:36.205: ISAKMP: type of life in seconds
7 Oct 19:38:36.205: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
7 Oct 19:38:36.205: ISAKMP: (0): atts are acceptable. Next payload is 0
7 Oct 19:38:36.205: ISAKMP: (0): Acceptable atts: real life: 0
7 Oct 19:38:36.205: ISAKMP: (0): Acceptable atts:life: 0
7 Oct 19:38:36.205: ISAKMP: (0): fill atts in his vpi_length:4
7 Oct 19:38:36.205: ISAKMP: (0): fill atts in his life_in_seconds:86400
7 October 19:38:36.205: ISAKMP: (0): IKE-> PKI start PKI Session state (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.205: ISAKMP: (0): ICP-> IKE started PKI Session state (I) MM_NO_STATE (ext. 15.18.1.1)
7 Oct 19:38:36.205: ISAKMP: (0): return real life: 86400
7 Oct 19:38:36.205: ISAKMP: (0): timer life Started: 86400.
7 October 19:38:36.205: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.205: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.205: ISAKMP (0): provider ID is NAT - T RFC 3947
7 Oct 19:38:36.205: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.205: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
7 October 19:38:36.209: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): IKE-> PKI obtain IssuerNames State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): ICP-> IKE got IssuerNames State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 Oct 19:38:36.209: ISAKMP (0): construction CERT_REQ for issuer cn = Tetra Pak Root CA - G1
7 October 19:38:36.209: ISAKMP: (0): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_SA_SETUP
7 Oct 19:38:36.209: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.209: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.209: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
7 Oct 19:38:36.233: ISAKMP (0): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_SA_SETUP
7 Oct 19:38:36.233: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.233: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
7 October 19:38:36.233: ISAKMP: (0): processing KE payload. Message ID = 0
7 October 19:38:36.245: ISAKMP: (0): processing NONCE payload. Message ID = 0
7 October 19:38:36.245: ISAKMP: (8329): payload processing CERT_REQ. Message ID = 0
7 October 19:38:36.245: ISAKMP: (8329): peer wants a cert CT_X509_SIGNATURE
7 October 19:38:36.245: ISAKMP: (8329): peer wants cert issued by cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 Oct 19:38:36.249: choose trustpoint TP_NAD_CA as transmitter
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): provider ID is the unit
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): provider ID is DPD
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): addressing another box of IOS!
7 Oct 19:38:36.249: ISAKMP: receives the payload type 20
7 Oct 19:38:36.249: ISAKMP (8329): sound not hash no match - this node outside NAT
7 Oct 19:38:36.249: ISAKMP: receives the payload type 20
7 Oct 19:38:36.249: ISAKMP (8329): No. NAT found for oneself or peer
7 Oct 19:38:36.249: ISAKMP: (8329): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.249: ISAKMP: (8329): former State = new State IKE_I_MM4 = IKE_I_MM4
7 Oct 19:38:36.249: ISAKMP: (8329): send initial contact
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI get self CertificateChain of State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): ICP-> IKE Got self CertificateChain of State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI obtain SubjectName State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): ICP-> IKE got SubjectName State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:38:36.249: ISAKMP: (8329): My ID configured as IPv4 address, but Addr not in Cert!
7 Oct 19:38:36.249: ISAKMP: (8329): using domain FULL as my ID name
7 Oct 19:38:36.249: ISAKMP: (8329): ITS been RSA authentication of signature using id ID_FQDN type
7 Oct 19:38:36.249: ISAKMP (8329): payload ID
next payload: 6
type: 2
FULL domain name: s2s-lvrirt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 42
7 Oct 19:38:36.249: ISAKMP: (8329): the total payload length: 42
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI is CertificateChain to send to the State peer (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.253: ISAKMP: (8329): ICP-> IKE got CertificateChain to send to the State peer (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:38:36.253: ISAKMP (8329): construction of CERT payload for hostname = s2s-lvrirt - 01.nvv .net .company .com, serialNumber = FCZ163860KW
7 October 19:38:36.253: ISKAMP: more send buffer from 1024 to 3072
7 October 19:38:36.253: ISAKMP: (8329): using the key of the TP_NAD_CA trustpoint to sign pair
7 October 19:38:36.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:36.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:38:36.449: ISAKMP: (8329): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.449: ISAKMP: (8329): former State = new State IKE_I_MM4 = IKE_I_MM5
7 Oct 19:38:36.481: ISAKMP (8328): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_NO_STATE
7 October 19:38:46.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:38:46.449: ISAKMP (8329): increment the count of errors on his, try 1 5: retransmit the phase 1
7 October 19:38:46.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:38:46.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:46.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:38:54.709: ISAKMP: (8327): purge the node 1841056658
7 Oct 19:38:54.709: ISAKMP: (8327): purge the node-57107868
7 October 19:38:56.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:38:56.449: ISAKMP (8329): increment the count of errors on his, try 2 of 5: retransmit the phase 1
7 October 19:38:56.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:38:56.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:56.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:04.709: ISAKMP: (8327): serving SA., his is 3169E824, delme is 3169E824
7 Oct 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
7 Oct 19:39:06.181: ISAKMP: (8329): SA is still budding. Attached new request ipsec. (2.8.51.58 local, remote 15.18.1.1)
7 Oct 19:39:06.181: ISAKMP: error during the processing of HIS application: failed to initialize SA
7 Oct 19:39:06.181: ISAKMP: error while processing message KMI 0, error 2.
7 October 19:39:06.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:06.449: ISAKMP (8329): increment the count of errors on his, try 3 of 5: retransmit the phase 1
7 October 19:39:06.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:06.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:06.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:10.261: ISAKMP: (8328): purge the node-1445247076
7 October 19:39:16.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:16.449: ISAKMP (8329): increment the count of errors on his, try 4 out 5: retransmit the phase 1
7 October 19:39:16.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:16.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:16.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:20.261: ISAKMP: (8328): serving SA., his is 2AD85BD0, delme is 2AD85BD0
7 October 19:39:26.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:26.449: ISAKMP (8329): increment the count of errors on his, try 5 of 5: retransmit the phase 1
7 October 19:39:26.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:26.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:26.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 October 19:39:36.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:36.449: ISAKMP: (8329): peer does not paranoid KeepAlive.
7 Oct 19:39:36.449: ISAKMP: (8329): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:39:36.449: ISAKMP: (8329): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (ext. 15.18.1.1)

Mike,

Concentrator sends his cert but never spoke glow, it is usually a problem with the fragmentation of handling in transit networks.

Sniff the two end you can control and check if you are not missing any fragment on end spoke.

Could be as simple as a MTU problem on your end, or could be something in the path try reassambly.

Several ways to go, check your end if the fragments are missing in transit - begin studying with ISP (s).

M.

Phase 3 of DMVPN. Two clouds on talk

Hello! I have a question for the phase 3 of DMVPN

Can I enable cef of rewriting (ip shortened PNDH) on several (not one) in different clouds DMVPN tunnel interface on talk (two ISP connection on talk)?

For example

config spoke

int tunnel 1

-cloud DMVPN #1---

PNDH network IP-1 id

property intellectual shortened PNDH

....................

tunnel source int fa0/1

int tunnel 2

-cloud DMVPN #2---

PNDH network IP-2 id

property intellectual shortened PNDH

...................

tunnel source int fa0/2

Cef (ip shortened PNDH) can only be enabled on the interface of a tunnel or rewriting?

Andrey,

There is no limitation to allow switching shortcut on an interface only - especially on a RADIUS where the two clouds are separated.

There is only one restriction irt routing:

http://www.Cisco.com/en/us/docs/iOS-XML/iOS/ipaddr/command/ipaddr-i4.html#GUID-23299F54-7B61-4EC4-A658-47E05B6B98DD

How separate you the two clouds to ISPS?

M.

DMVPN BGP and EIGRP

I am in the initial phase of research DMVPN. We currently have an MPLS network running BGP. Each site has Internet at home as well as a VPN site-to-site is built on the router and talks to an ASA when the SPLM fails.

I want to implement DMVPN to do away with the site to site VPN and ASA. I'm going to run EIGRP on routers to connect DMVPN. Are there any good whitepapers on BGP as the main path and by EIGRP on the DMVPN as a backup? Or no focus on a general config?

Thank you

It's really the main issue.

With your configuration DMVPN roads will be internal EIGRP of an advertisement of 90, so your default DC prefer DMVPN on MPLS, which is exactly what you don't want.

There are several ways around this as summarizing through DMPVN, redistribution connected on the sites of the branch in EIGRP so roads DMVPN are external as well and then changing measures etc.

The other alternative I have ever done so it's for your information is really Cisco have what is called a solution IWAN where DMVPN is performed everywhere that is, even through the MPLS network.

That would solve your problem of external routes internal EIGRP but IWAN vs is much more than just that, even if you do not need necessarily to implement the entire solution at a time.

I just thought that it should be mentioned, and if you want more information on this I can direct you to the design guide.

Jon

DMVPN router behind ASA - need help please.

Hello

After reading many other discussions on this topic, it appears with the correct IOS and NAT - T active router, you bring up DMVPN behind a NAT device.

I tried to perform this task, but I can not even phase 1 going to the DMVPN. The routing was checked and I can ping the routers DMVPN public IP. I'm sure that the configurations for routers are good, but asked if any additional NAT is required on the ASA.

Here is the topology:

Plate rotating DMVPN > ASA > Internet > ASA > DMVPN Branch

The SAA on the side of the hub is in our data center and in production with several site-to-site and traffic to DMZ. Devices DMVPN is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages are sent on the branch DMVPN router. Nothing in the hub and no hits on the ASA ACL. I tried both the public IP address and the private IP address of the ACL on the ASA.

I have attached the relevant training and can post more if necessary.

Thank you

Brandon

Hello

I finally had time to laboratory it.

I used this topology:

I have

DMVPN - nat.png

ASA (config) # sh run nat
NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
!
object network HUB
dynamic NAT interface (INSIDE, OUTSIDE)

ASA (config) # sh run access-list
extended OUTSIDE permitted udp access list any HUB-ROUTER-REAL-IP eq isakmp object
list access extended OUTSIDE permitted udp any eq HUB-ROUTER-REAL-IP 4500

R2 #sh run inter t0

interface Tunnel0
172.16.0.1 IP address 255.255.255.0
no ip redirection
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
dynamic multicast of IP PNDH map
PNDH id network IP-99
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec DMVPN-IPSEC-PROFILE protection profile

So it should be the same configuration that you use.

The only thing is that I had to ' stop/no shut' tunnel interface and removing some config that I also need to clear the connection on the ASA using "clear conn."

R2 #sh dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer, W--> waiting
UpDn time--> upward or down time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 PNDH details
Type: hub, PNDH peers: 2,.

# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 200.20.0.10 172.16.0.2 UNTIL 00:11:28
1 200.30.0.10 172.16.0.3 AT 00:11:22

R2 #.

DMVPN Phases

Similar Questions

DMVPN - nat.png

Maybe you are looking for