DMVPN QUESTION
Hello
I have deploy a dmvpn with two of the hub topology and several rays, after the spokes and the hub, I did a reboot in the hub to see if this drug works after rebbot in the hub, but I noticed that after the rebbot the tunnel in the hub is not come, the only way to raise the tunnel had to erase dmvpn static session in rays , during this time the hub to continue giving a message:
ISAKMP: ignoring the request to send delete notify (no ISAKMP security association) src 213.10.10.10 dst 213.58.10.10.14 for SPI 0xC15C587F
IOS:12.4.11 T 1
2821
2811
Someone can help me.
Thank you
Hello
Please make sure you have ISAKMP KeepAlive on the hubs and spokes, and once configured, please test again and see if it improves. What is happeneing is probably when the hub is restarted, speak it does not clear the tunnel is based on the SAs to timeout. When delete us the SAs on the RADIUS, the problem goes away. Configure ISAKMP KeepAlive should we work around this problem.
HTH,
Please rate if this can help.
Kind regards
Kamal
Tags: Cisco Security
Similar Questions
-
DMVPN Question ISAKMP Security Association
Hi all
I have implemented a full mesh base DMVPN, similar to the int of config used life package
http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.
I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.
My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...
How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?
status of DST CBC State conn-id slot
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
A similar result on the hub
status of DST CBC State conn-id slot
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
Still 1 spoke only a 2
172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE
Crypto config for all:
crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile
Config of Tunnel hub
interface Tunnel0
10.0.100.1 IP address 255.255.255.0
dynamic multicast of IP PNDH map
PNDH network IP-1 id
tunnel source fa0/0
multipoint gre tunnel mode
Spoke 1 Tunnel Config
!
interface FastEthernet0/0
address 172.16.3.2 IP 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
10.0.100.2 IP address 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
Spoke 2 Config of Tunnel
!
interface FastEthernet0/0
IP 172.16.2.2 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
IP 10.0.100.3 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).
You could get in double sessions of the two scenarios IKE, are the most common.
(1) the negotiation started at both ends "simultaneously".
(2) renegotiation of IKE.
What is strange to me, is that you seem to have initiated session and responsed by the hub.
What I would do, is to add:
-ip server only PNDH (on the hub, it is not a provided ASR)
-DPD (on all devices).
Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.
-
DMVPN question "" change btwn CONF_XAUTH & MM_NO_STATE ".
Hi all
can you please help on below: thanks in advance.
HQ which is configured to accept remote vpn client using crypto map and also it is configured for dynamic vpn with branch.
Static public IP HQ is 82.114.179.120, tunnel 10 172.16.10.1 and local lan ip is 192.168.1.0
Branch has dynamic public ip, 10 ip 172.16.10.32 tunnel local lan is 192.168.32.0 It is also configured by using tunnel 0 with an another CA that works very well.
Directorate-General for the Lan (192.168.32.0) is required to access lan (192.168.1.0) HQ...
Debug files attached
HQ:
AAA authentication login local acs
AAA authorization network local acs
!
AAA - the id of the joint session
!
IP cef
!8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!redundancy
!VDSL 0/1/0 controller
!cryptographic keys ccp-dmvpn-keyring keychain
pre-shared key address 0.0.0.0 0.0.0.0 key [email protected] / * /
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto 5 3600 keepalive
ISAKMP crypto nat keepalive 3600
ISAKMP xauth timeout 60 crypto!
ISAKMP crypto client configuration group NAMA
namanama key
pool mypool
ACL 101
Save-password
Profile of crypto isakmp dmvpn-ccp-isakmprofile
CCP-dmvpn-keyring keychain
function identity address 0.0.0.0
!
Crypto ipsec transform-set esp-3des esp-md5-hmac test
tunnel mode
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
define the profile of isakmp dmvpn-ccp-isakmprofile
!card dynamic crypto map 10
Set transform-set test
market arriere-route
!
the i-card card crypto client authentication list acs
card crypto i-card isakmp authorization list acs
card crypto i-map client configuration address respond
card crypto i-card 10 isakmp ipsec dynamic map!
interface Tunnel10
bandwidth 1000
address 172.16.10.1 IP 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 360
IP tcp adjust-mss 1360
delay of 1000
Shutdown
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 192.168.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
ATM0/1/0 interface
DSL Interface Description
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5snap encapsulation
PPPoE-client dial-pool-number 1!
interface Dialer0
no ip address
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
PPP authentication chap callin pap
PPP chap hostname nama20004
password PPP chap 0 220004
PPP pap sent-username nama20004 password 0 220004
i-crypto map
!
IP local pool mypool 192.168.30.1 192.168.30.100
IP forward-Protocol ND
!
IP http server
IP http secure server
!
overload of IP nat inside source list 171 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access ip-list 171 allow a whole
Dialer-list 2 ip protocol allow
!HQ #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)See the branch to execute:
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 11
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key [email protected] / * / address 82.114.179.105
ISAKMP crypto key [email protected] / * / address 82.114.179.120
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
Crypto ipsec transform-set esp - aes Taiz esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
!
Profile of crypto ipsec to Taiz-profile-
the value of the transform-set in Taiz
!
interface Tunnel0
bandwidth 1000
IP 172.16.0.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
map of PNDH 172.16.0.1 IP 82.114.179.105
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.0.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.105
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Tunnel10
bandwidth 1000
IP 172.16.10.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
property intellectual PNDH 172.16.10.1 card 82.114.179.120
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.10.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.120
key to tunnel 22334455
tunnel of ipsec to Taiz-profile protection
!
interface Ethernet0
no ip address
Shutdown
!
ATM0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0.1
PVC 8/35
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet1
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet2
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet3
# CONNECT TO LAN description #.
no ip address
!
interface Vlan1
# LAN INTERFACE description #.
customer IP dhcp host name no
IP 192.168.32.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1412
!
interface Dialer0
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname mohammadaa
password PPP chap 0-123456
PPP pap sent-name of user mohammadaa password 123456 0
!
IP forward-Protocol ND
IP http server
10 class IP http access
local IP http authentication
no ip http secure server
!
the IP nat inside source 1 interface Dialer0 overload list
IP route 0.0.0.0 0.0.0.0 Dialer0
Route IP 192.168.0.0 255.255.255.0 172.16.0.1
IP route 192.168.1.0 255.255.255.0 172.16.10.1
!
auto discovering IP sla
Dialer-list 1 ip protocol allow
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!Branch #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 MM_NO_STATE ACTIVE 2061 (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)Mohammed,
No probs, ensure safety.
The config you home has only one profile of IKE again. i.e. your DMVPN and ezvpn fall into the same basket.
What you need is a clean separation.
In the example you have
crypto isakmp profile VPNclient match identity group hw-client-groupname client authentication list userauthen isakmp authorization list hw-client-groupname client configuration address respond
which is then linked to:crypto dynamic-map dynmap 10 set isakmp-profile VPNclient reverse-route set transform-set strong
and separately a Profile of IKE DMVPN:
crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0
linked to your profile DMVPN IPsec:
crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN
You apply the same logic here and clean to the top of your current config (i.e. move the features that you have applied to the level of the crypto map to your new profile of IKE).
M.
-
DMVPN questions - IPsec packets
Hi all
Currently, I am configuring DMVPN for the first time. I followed the guide to configuring cisco and Googling a bit other strands however seems to have hit a brick wall.
The Setup is in a lab environment, so I can post as much information as required, but here's the important bits:
I have 3 routers Cisco 2821 running IOS 12.4 (15) with a layer 3 switch in the Middle connecting ports 'wan' together. the routing works fine, I can ping to each of the other router router.
Excerpts from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 10000
ip address 172.17.100.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 450
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description HQ WAN
ip address 1.1.1.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
and here's the config on the first router spoke:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 3000
ip address 172.17.100.10 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map 172.17.100.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 101
ip nhrp holdtime 450
ip nhrp nhs 172.17.100.1
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description Site 1 WAN
ip address 11.11.11.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
If I closed/no farm tunnel0 on RADIUS 1 interface, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im lack some config on the side talking to encrypt the traffic, but I'm not sure what.
Here's the output router spoke:
RTR_SITE1#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 172.17.100.10
Source addr: 11.11.11.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 172.17.100.1 E
Type:Spoke, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32
Interface: Tunnel0
Session: [0x48E31B98]
Crypto Session Status: DOWN
fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
Outbound SPI : 0x 0, transform :
Socket State: Closed
Pending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail
172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire
Type: static, Flags: used
NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 46, #recv errors 0
local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
All these commands appear as empty when I throw them on the hub router.
Any help appreciated.
Thank you
No negotiate is because you do not have an Ike key implemented. You need
Crypto ISAKMP policy 1
BA (whatever)
AUTH pre-shared
Group (whatever)
ISAKMP crypto key 0 some secret address 0.0.0.0 0.0.0.0
Hun and talks must match.
Your IPSec transform-set should also have "transport mode".
Sent by Cisco Support technique iPad App
-
I have a phase 2 network with routers spoke about 40 and routers DMVPN hub double. 90% of this works very well. However, I have 3 or 4 of the spoke routers that are unable to communicate with each other directly (traffic is via the router hub between these specific sites) but they are able to coomunicate directly with other routers 35 or more. I think it's a question of PNDH, as when I show in detail PNDH ip on one of these 4 routers, 3 other routers present a (without plug) input. I am able to erase that 'sometimes' by Claire ip PNDH. Whenever the (not scoket) input y at - he speaks of talking communication does not work. Any help would be greatly appreciated.
Have you checked this CSCsw18019 bug
Communication of talking - talking about passing THE by hub if PNDH cache authors.
-
DMVPN w / multicast of installation/questions
Hello
I have a lot of questions, so bare with me as I vomit them out of my head.
I did a few tests with DMVPN inconjuction with the multicast video (Star, w / none talking of talk). The test configuration uses 2 cisco 2811 w/out module vpn. I understand the performance do not have the module. That being said, here are my questions.
1. with the encryption on the HUB and spokes routers use 90-97% of the cpu (8 MB multicast stream). With encryption off the coast, the Hub is about 60% and talked about 75%. Here's where I'm confused. If I send that same broadcast stream unicast, w / encryption, the hub and speaks using only about 30-35% cpu. Why is it so much more cpu need when it comes to a multicast stream?
2. in the current configuration, I entered, throttles and ignore the errors on the hub and the spokes. The hub has these errors on the LAN interface and speaks has these errors on the WAN interface. All other interfaces are completely clean. I checked and there is no duplex incompatibilities or speed. Any ideas?
HUBS:
Current configuration: 1837 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
Hub host name
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
activate the password
!
No aaa new-model
clock TimeZone Central - 6
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
no ip domain search
8.8.8.8 IP name-server
IP multicast routing
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
voice-card 0
!
Archives
The config log
hidekeys
!
Tunnel1 interface
bandwidth 100000
192.168.11.1 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
no ip next-hop-self eigrp 1
PIM sparse-mode IP
dynamic multicast of IP PNDH map
PNDH network IP-1 id
property intellectual PNDH holdtime 450
no ip-cache cef route
IP tcp adjust-mss 1360
no ip split horizon eigrp 1
delay of 1000
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
bandwidth tunnel pass 100000
bandwidth tunnel receive 100000
!
interface FastEthernet0/0 (WAN)
IP address 216.x.x.x 255.255.255.192
PIM sparse-mode IP
load-interval 30
automatic duplex
automatic speed
!
interface FastEthernet0/1 (LAN)
IP 128.112.64.5 255.255.248.0
PIM sparse-mode IP
load-interval 30
automatic duplex
automatic speed
!
Router eigrp 1
network 128.112.0.0
network 192.168.11.0
Auto-resume
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 216.x.x.x
IP http server
local IP http authentication
IP http secure server
!
!
128.112.64.5 IP pim rp 10
!
access-list 10 permit 239.10.0.0 0.0.255.255
public RO SNMP-server community
!
Speaks:
Current configuration: 1857 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
host name talk
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
activate the password
!
No aaa new-model
clock timezone central - 6
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
no ip domain search
IP multicast routing
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
voice-card 0
!
Archives
The config log
hidekeys
!
Tunnel1 interface
bandwidth 100000
192.168.11.2 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
PIM sparse-mode IP
property intellectual PNDH 192.168.11.1 card 216.x.x.x
map of PNDH IP multicast 216.x.x.x
PNDH network IP-1 id
property intellectual PNDH holdtime 450
property intellectual PNDH nhs 192.168.11.1
no ip-cache cef route
IP tcp adjust-mss 1360
no ip split horizon eigrp 1
delay of 1000
source of tunnel FastEthernet0/0
destination 216.x.x.x tunnel
tunnel key 100000
bandwidth tunnel pass 100000
bandwidth tunnel receive 100000
!
interface FastEthernet0/0 (WAN)
IP address 65.x.x.x 255.255.255.192
PIM sparse-mode IP
load-interval 30
automatic duplex
automatic speed
!
interface FastEthernet0/1 (LAN)
IP 128.124.64.1 255.255.248.0
PIM sparse-mode IP
IP igmp join-group 239.10.10.10
load-interval 30
automatic duplex
automatic speed
!
Router eigrp 1
network 128.124.0.0
network 192.168.11.0
Auto-resume
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 65.x.x.x
no ip address of the http server
no ip http secure server
!
!
128.112.64.5 IP pim rp 10
!
access-list 10 permit 239.10.0.0 0.0.255.255
public RO SNMP-server community
Joe,
You ask the right question.
Ultization CPU = CPU consumed by the process + IO operations (in a huge simplification - CEF)
Usually when a package is processed by the router we expect to be treated by CEF, i.e. very quickly.
Package is not processed by CEF:
-When there is something missing to route the package properly (think entry ARP/CAM) that is additional research needs to be done.
-a feature request that a packet is for transformation/deformation
-The package is for the router
(And many others, but these are the most important).
When a package is recived, but cannot be treated by the CEC, we "punt to CPU package" this will cause in turn the CPU for the process to move upward.
Now on the shelf, this seems to be the problem:
Spoke#show ip cef switching stati
Reason Drop Punt Punt2Host
RP LES Packet destined for us 0 1723 0
RP LES Encapsulation resource 0 1068275 0
There are also some failures on an output buffer you set.
Usually at this stage I would say:
(1) ' upgrade' of the device to 15.0 (1) M6 or 12.4 (15) T (last picture in this branch) and check if the problem persists there.
(2) If this is the case, rotate it by TAC. I don't see any obvious errors, but I'm just a guy on a Chair even as you ;-)
Marcin
-
Hello
I have a DMVPN between 1 hub & router 1 Backup Server Setup.
Here is the config of tunnel of Hub:
Tunnel1 interface
IP 10.101.0.1 255.255.255.0
no ip redirection
IP mtu 1416
property intellectual PNDH authentication abcd
dynamic multicast of IP PNDH map
PNDH id network IP-123
No eigrp split horizon ip 100
source of tunnel FastEthernet0/1
multipoint gre tunnel mode
tunnel key 1234567
Protection ipsec DMVPN tunnel profile
!
Router eigrp 100
Network 10.100.0.0 0.0.0.255
network 192.168.9.0
No Auto-resume
!
Spoke about Config:
Tunnel1 interface
IP 10.101.0.250 255.255.255.0
no ip redirection
IP mtu 1416
property intellectual PNDH authentication abcd
property intellectual PNDH card 10.101.0.1 publicIPhere
map of PNDH IP multicast publicIPhere
PNDH id network IP-123
property intellectual PNDH nhs 10.101.0.1
intellectual property PNDH hides not authoritative
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 1234567
Protection ipsec DMVPN tunnel profile
!
Router eigrp 100
Network 10.101.0.0 0.0.0.255
network 192.168.2.0
No Auto-resume
My problem is that I can't get the EIGRP working between the HUB and the SPOKE routers. My isakmp and ipsec work fine. I am able to ping the two GREtunnel IP through the IPSEC tunnel.
If I use static routing communication works very well, is it possible to get the eigrp to travel through the tunnel, so I can avoid static routing?
TIA,
Fred
Hello
the hub has the eigrp wrong config... Here is the correct config-
Router eigrp 100
Network 10.101.0.0 0.0.0.255
network 192.168.9.0
No Auto-resume
you had
Router eigrp 100
Network 10.100.0.0 0.0.0.255
network 192.168.9.0
No Auto-resume
-
DMVPN divide tunnling question, not able to pass http traffic to end spoke.
Hi all
I would appreciate it please help me solve after publication.
I've used installation DMVPN (EIGRP routing protocol) for 20 site no problem at all, and everything works perfectly.
Now, I have received a request that I would need to divide the legitimate business and internet traffic to end talks, so all internet traffic via a local ADSL connection, but I tried to solve it but router speaks constantly forward all traffic to the tunnel.
Moreover, I found on internet DMVPN a limitation that split tunneling isn't possible.
Please can you suggest me how can I send internet traffic (HTTP) via a DSL connection local
Thank you and best regards,DMVPN is not based on politics, split tunneling concepts not apply.
DMVPN relies on the road to understand what traffic should be sent by tunnel.
In your case, you also have to distinguish between the company and the Internet HTTP traffic, better correct routing in place.
-
question about logon crypto DMVPN
in a dmvpn speaks to talk, how is it that the session of encryption can only be initiated by the rays? IKE authentication can only be initiated by spoke them? Why not the hub? they use the two wild-card pre-shared keys.
I can understand in an IPSEC encapsulation direct hub-and-spoke is scenario where the RADIUS is statically defining the address of peer IKE and defining interesting traffic. The hub uses a wildcard for psk and does not define interesting not sure as well so don't can not login to encryption.
but in a dmvpn spoke with star topology to spoke feature (the two love running) why is her talking about the only one who can open a session encryption? I know that speaks it has PNDH static mappings for the hub outside the address, but the hub must include all of the PNDH mappings to the rays in its cache PNDH. -shouldn't it be able to initiate ike authentication?
Thank you
Hello
DMVPN hub has no information mapping PNDH (only when the session is in place).
The rays have configured the hub as the PNDH server.
Federico.
-
Question DMVPN with double IPS links at the end of the branch
I have a Setup (see drawing) where I
Double TIS links at the end of the branch, with the wireless and the other with 3 G.
Wireless should always be the main path, when it works (it's a kind ship when it is in the port)
If I use OSPF, then it works fine the failover, but as soon as I enable IPSEC on the tunnel, then there are switched only once and it will not be repeated at the elementary level once again, without having to restart the router, and then it works for a failover once again.
I also use tracking, because there is no interface, it is down
Are there someone there is a working configuration, where ec. in the network head (normal installation) there is double tis links on the same router or ofcause the same as I.
I'm ready to use any kind of protocols so that it can work, so RIPv2 (preferred), EIGRP, OSPF, tracking, IP SLA
Who is 80.198.195.138?
The peer Hub address is 80.1.1.1 then you can ping this address when the main link is down?
It also seems that you have IPSec tunnel 0 UP but no 0 and 1-tunnel at the same time tunnel. Make sure you have the word of shared key on the hub, router that you use the same source for the two IPSec tunnel IP address.
This message means the IKE database between two routers is out of sync, but should recover on its own.
HTH
Laurent.
-
DMVPN - PSK to Auth RSA - Sig move
Hi all
I'm moving a laboratory DMVPN config PSK has the use of certificates.
Installed root CA + certificates without problem.
I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce speaks talks about but I am receiving and error on the hub "x.x.x.x IKE message failed the validation test or is incorrect.
the problem disappears if I remove the ISAKMP policy in the hub, he returns to the original policy of the PSK. I checked the correspondence of policies a million times and the certificates are installed properly.
I have included some of the config below. Policy 10 works very well.
any help appreciated. Thank you
-Hub-crypto ISAKMP policy 5
BA aes
md5 hash
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key address 0.0.0.0 xxxxxxxxxxxxxxxxxx
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac hand
tunnel mode
!Profile of crypto ipsec ProfileName
define security-association life seconds 900
transformation-home game
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 20480
IP x.x.x.x 255.255.255.0
no ip redirection
IP 1400 MTU
NBAR IP protocol discovery
penetration of the IP stream
IP nat inside
property intellectual PNDH authentication Auth
dynamic multicast of IP PNDH map
PNDH IP network id ID
IP virtual-reassembly in
No cutting of the ip horizon
IP tcp adjust-mss 1300
CDP enable
source of tunnel Dialer
multipoint gre tunnel mode
tunnel key X
Profile of tunnel ProfileName ipsec protection-Speaks-crypto ISAKMP policy 5
BA aes
md5 hash
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0
!
!
Crypto ipsec transform-set main esp-3des esp-md5-hmac
tunnel mode
!
Profile of crypto ipsec IProfile
define security-association life seconds 900
Set main transformation game
!
!
!
!
!
!
!
interface Tunnel0
IP x.x.x.x 255.255.255.0
no ip redirection
IP 1400 MTU
IP nat inside
property intellectual PNDH authentication Auth
dynamic multicast of IP PNDH map
property intellectual PNDH card x.x.x.x where x.x.x.x
map of PNDH IP x.x.x.x multicast
PNDH IP network id X
property intellectual PNDH nhs x.x.x.x
IP virtual-reassembly in
No cutting of the ip horizon
IP tcp adjust-mss 1300
source of tunnel Dialer
multipoint gre tunnel mode
tunnel key X
Profile of tunnel Iprofile ipsec protectionYour certificates seem to be good. TGE of time is very important. Comes with service horodateurs time of the journal is your clock the ntp.
When everything is set correctly in view, I would be very interested to get all debugs them.
This question you have is based on the key or certificate not authencating together, coukd be mtu, could be something else.
Would you mind to provide all debugs them and perhaps a trace of wireshark to see what is happening. Debugs isakmp, ipsec and certificates as well.
Thank you
-
Are there concerns using VoIP with DMVPN? How is managed quality of Service?
Thank you for your participation.
Dean,
You guessed it! Remember to accept your answer as the answer ;)
Thank you for participating in the dissemination on the Web today, please feel free to post any questions here or in the Ask the Expert wire.
-Frank
-
On DMVPNs selective IPSec encryption
Hello
I have a DMVPN with two rays on a MPLS-L3-IPVPN network. IPSec over GRE profiles using crypto. Works very well. Now, he only need to encrypt all traffic except EF DSCP. Tried with the help of ACB defining IP-Next Hop for EF-packages and just normal dug routing for all other types of traffic.
My question is, I know cryptographic cards that use ACLs can selectively encrypt traffic through the IPSec/GRE tunnels. Cryptographic profiles don't seem to have this feature. Is there another way to do this?
A snip Config by couple spoke it as below.
===============
interface GigabitEthernet0/0.1
DESC LAN i / f
IP 10.10.10.1 255.255.255.0
political intellectual property map route ACBinterface Tunnel100
IP 172.16.254.13 255.255.254.0
no ip redirection
property intellectual PNDH card 172.16.254.1 103.106.169.10
map of PNDH IP multicast 103.106.169.10
PNDH network IP-1 id
property intellectual PNDH nhs 172.16.254.1
property intellectual shortened PNDH
KeepAlive 10 3
source of tunnel GigabitEthernet0/1.401
multipoint gre tunnel mode
key 1 tunnel
Profile of tunnel DMVPN-Crypto ipsec protection
endGIE Router 1
no car
NET 172.16.254.0 0.0.1.255
EIGRP log-neighbor-warnings
EIGRP log-neighbor-changes
! - router id
NET 10.10.10.0 0.0.0.255ACB allowed 10 route map
ACB match ip address
IP 11.2.100.2 jump according to the value
!
ACB allowed 20 route mapACB extended IP access list
permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
allow icmp host 10.10.10.5 host 15.1.1.1 dscp 41
deny ip any any newspaper===============
Note: the routing table contains only a default route learned via EIGRP. Thus, if the ACB 10 past, policy would transmit to the Next-hop (PE). Or would otherwise use 0/0 and route thro' the tunnel.
Thanks in advance!
See you soon
AravindWith DMVPN, no. You will need to return to the use of just cryptographic cards, only using access lists to control what is and is not encrypted.
If the "EF" traffic was dedicated VoIP subnets so you would have more options, you can choose everything just don't not to route these subnets above the Tunnel.
-
DMVPN Solution for 50 Branches...
Hi all
We have about 40 branches and a Central data center.
each office is connected with the domain controller and all internet traffic passed and filtered between DC and the Central firewall.
We have VoiP, with a Central in DC call manager.
our data are in DC, except some of the offices that have their own file server.
RDP is also continue to use.Now, one day, we have a MPLS network linking all of our offices.
I do a search about to implement a DMVPN for all, or as a second solution to some of our offices (the small one).
How can you recommend or kind one or the other solution?as I read, the voice traffic is the most critical and the most difficult to manage with the ISP and DMVPN Solution.
I would really apriciate your opinion.
Kind regards
Thomas.PS
I chose cause DMVPN we have in the near future to have a backup of our DC in a second office, only for some of the critics of the data and services.
That's why I think to use the DMVPN with 2 HubsYes you can run it on the Internet. Yes, you may have questions of VoIP.
A solution that we used in the past is double internet connections. You dedicate one VoIP and one for everything else. Always much cheaper than MPLS.
You can also use Pfr (routing performance) to select the circuit to use based on the latency and jitter, and the type of traffic.
-
Hello
I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.
command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.
A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.
What should be the reason and how to fix it?
Sorry for my English, I'm new to dmvpn :)
Thanks in advance.
Hi George,.
I see two possible event which would explain the behavior that you are experiencing.
(a) change of State DMVPN.
(b) change in the routing table.
You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him. To begin, you must make sure that the DMVPN stay in a stable 'up' State.
You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.
I suggest to consult a few details of useful troubleshooting here:
http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...
Take a look at these details:
~~~
Interface: Tunnel100, IPv4 PNDH details
Type: talk, PNDH peers: 2,.# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.28.1.1 UP 1d21h S
1 192.168.1.2 172.28.1.2 UP 1d21h S~~~
You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.
If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.
If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable. "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.
There is a lot of support in my suggestions, because you have not posted the configuration :).
But it would be useful that you post the config. Good luck with your efforts.
Thank you
re775
Maybe you are looking for
-
Hello I suspect someone who tries to steal my Apple and details. I received an email from a "fake Apple website. Does anyone know if this email is approved?
-
kb2656368 custody relocation. Windows Update says it's successful. It does not show in Add/Remove programs
-
Two Linksys EA6200 at the same time
Hi all, I bought two routers Linksys EA6200. Before buying, I have read the manual and confirmed that it can act as a wireless (bridge mode) access point. I had no problem setting up one as a router and connect to the internet via the modem from my I
-
Why my laptop starts then sudenly get all lines going donw the monitors
Hi why my cell phone begins to sundenly get all the lines going to the bottom of the screen when I click on the programs I have on it suddenly stops then I'll safe mode with network will it please help if you can, thanks
-
FATAL error after Power Cycle - GVRP associated?
Hi all Happy new year! I have a network of four 300 switches of the series of small businesses. All are running the version of the 1.3.5.58 software (latest version). Three of them are connected by 2 groups of LAG to the central switch that in turn c