DMVPN tunnel

Hello world

I have a few question about DMVPN

I have a working router hub-and-spoke configuration is. router poke there are configuration on DMVPN tunnel as tunnel source loopback 1. Loopback IP address 1 is 32 10.253.20.X the LAN subnet is 10.168.X.X/24.

I want to know why we give source Loopback 1 Tunnel and not the local network subnet.

What is the use of the following commands and these optional commands.

  • PNDH network IP-2000 id
  • tunnel key 100000
  • and tunnel source loopback 1 or ip address

Also I would like to know if it is possible to tunnel DMVPN configuration between two router or ASA and ASA with version 8.2 or 7.2?

Thanks a million in advance

See you soon

Deepak Khemani

Hi deepak,

the command no ipsec nat-transparency udp-program encryption doesn't make use of tcp (default port 10 000) rather than UDP for transaprency nat.

Other commands creates a cryptographic card to protect the outbound interface.

Essentially in the encryption card, you have the destination peer (isakmp peers) and the ACL to match traffic to protect.

In your case, it seems the card encryption protect the GRE Tunnel.

I believe this because you work encapsultate GRE Tunnel in an IPSEC tunnel, but that causes a lot of overhead.

I would you recommend that you create an ipsec profile and applies it to the VTI interface, because even if you can make a card encryption with a dmvpn normally, the administration won't be as easy.

just quick crypto cards vs ipsec vti orders

Crypto map

Crypto ipsec transform-set esp - aes ts1

access-list 100 permit ip src dst

card crypto map1 10

defined peer X.X.X.X

Set of transformation ts1

...

int X/X

card crypto map1

now with the vti (assuming that... are already configured in tunnel mode/dest/source)

Crypto ipsec transform-set esp - aes ts1

Crypto ipsec profile pf1

Set of transformation pf1 set

int tun0

protection of profile pf1 ipsec tunnel

I hope this helps.

Please mark as she answered and/or rate if that will answer your questions

Tags: Cisco Security

Similar Questions

  • Is this a DMVPN tunnel before directed broadcasts?

    Hi people.

    We had a problem interesting in one of our shelves in our DMVPN network.

    The RADIUS 2811, its process was 98% with the entrance of property intellectual process taking 98%.

    Of netflow, I saw many broadcasts led through tun4 which is a dmvpn tunnel.

    SrcIf SrcIPaddress DstIf DstIPaddress Pr PCDR as Pkts
    FA0/0 169.254.29.148 Tu4 169.254.255.255 11 0089 0089 9136
    FA0/0 169.254.220.230 Tu4           169.254.255.255 11 0089 0089 1935
    FA0/0 169.254.153.196 Tu4           169.254.255.255 0089 0089 11 14 K

    the 169.254.X.X address is free windows configured when a pc is unable to obtain an IP address.

    the configuration of the tunnel is like that and I wonder if, because of the "property intellectual PNDH multicast ' forwards all multicast and broadcast over the tunnel traffic.

    Is this the case?

    interface Tunnel4
    bandwidth 2048
    address IP X.X.X.X 255.255.252.0
    no ip redirection
    IP 1400 MTU
    penetration of the IP stream
    property intellectual PNDH authentication xxxxx
    property intellectual PNDH card A.A.A.A. B.B.B.B
    map of PNDH IP multicast B.B.B.B
    PNDH id network IP-100003
    property intellectual PNDH holdtime 600
    property intellectual PNDH nhs Y.Y.Y.Y
    registration of the PNDH non-unique IP
    property intellectual shortened PNDH
    the PNDH IP forwarding
    load-interval 30
    QoS before filing
    source of Loopback4 tunnel
    multipoint gre tunnel mode
    tunnel key 100003
    backup tunnel ipsec protection profile

    Hi Rick, thanks for the note :)

    Hi George,.

    Another solution is to create the static route for null point 0 for these unwanted traffic.

    Kind regards

    Lei Tian

  • DMVPN tunnel stand

    Hello, I need to change the IP address of the hub. The only way to join the rays is through the tunnel.

    Action plan has been to change the PNDH cards on the shelves first, then finally to change the public IP address of hubs. It did not work, because the tunnels still remain standing and keep the 'old' IP address.

    I added ISKMP KeepAlive, PNDH holdtime tunnel and tunnel keepalive. but without success.

    The only way to get the rays accepting the new IP address, is to close, without closing the tunnel. But this cuts my own branch.

    Question: Is - that someone knows a way, which allows DMVPN tunnel realizes a loss of connection, PNDH clear cache and rebuild a tunnel to a new destination without having to restart rays?

    Thank you and best regards Peter

    Peter,

    Thank you for responding and let me know. I appreciate it.

    See you soon

    Gilbert

  • DMVPN Tunnel and EIGRP routing problem

    I have redundant paths to a remote 2811 router on my network of sites.  The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

    I'm under EIGRP to my process of routing protocol 100 for the two links.

    I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site.  The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

    However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

    What I'm missing here?

    A tunnel0 to see the shows the following:

    Tunnel0 is up, line protocol is up
    Material is Tunnel
    The Internet address is 10.x.x.x/24
    MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    KeepAlive not set
    Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
    Tunnel/GRE/IP transport protocol
    Key 0x186A0, sequencing of the people with reduced mobility
    Disabled packages parity check
    TTL 255 tunnel
    Quick tunneling enabled
    Tunnel of transmission bandwidth 8000 (Kbps)
    Tunnel to receive 8000 (Kbps) bandwidth
    Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
    Last entry of 00:00:01, exit ever, blocking of output never
    Final cleaning of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
    Strategy of queues: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bps, 0 packets/s
    5 minute output rate 0 bps, 0 packets/s
    packages of 880, 63000 bytes, 0 no buffer entry
    Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
    errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
    output of 910 packages, 81315 bytes, 0 underruns
    0 output errors, 0 collisions, 0 resets interface
    unknown protocol 0 drops
    output buffer, the output buffers 0 permuted 0 failures

    Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

    Federico.

  • IPsec DMVPN tunnel mode

    "Front of Cisco IOS release 12.3 (6) and 12.3 (7) T, for the spoke routers participate in a DMVPN network, they had to use tunnel mode IPSec." is indicated in the following doc:

    http://CCO/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html#wp1085369

    But I tried the mode of transport, he sees work very well. I use 12.2 (15) T. is it supposed to work? If not, why?

    Thank you

    The restriction you are referring is only in the case of your shelves DMVPN is behind NAT devices. If they are not behind NAT devices they can use a tunnel or transport mode correctly.

  • Proof of encryption for the DMVPN Tunnel

    I've been setting up VPN for a short time and Im trying to get a better

    understanding of mechanics.

    I configured DMVPN between a router HQ and two branches. Im running eigrp between routers by gre tunnel interfaces. I can see neighbors eigrp via the tunnel which is good. The part is Im trying to understand, I have not created any ACL and I seem to form relationships neighbor eigrp in the tunnels. If I ping or telnet from the HQ router to one of the branches, I assume that Im going through the tunnel and the traffic is encrypted. I would like to be able to prove and to see evidence.

    I have to have ACL is configured to tell the router what to encrypt? Or the fact that the tunnel has a profile applied crypto doesn't take care of it?

    I did a test and telneted from Headquarters to Division 1 to aid private addresses that were sent through the tunnel and then entered the command

    SH crypto ipsec his. My telnet source address is the closure of the router which is 172.22.3.1 I though I'd see 172.22.3.1 or 172.22.1.1 in the out command has turned down and I do not have that make me wonder if the traffic is being encryption. Maybe my configs are incorrect or I need a different show command?

    I have attached my router configs also. If someone could help understand me a little more it would be appreciated.

    Andy

    Lab-HQ-rtr #telnet 172.22.1.1 it's Branch1rtr
    172.22.1.1 by train... Open

    User access audit

    Username: andrewb
    Password:

    Lab-branch1-rtr #sh crypto ipsec his

    Interface: Tunnel0
    Tag crypto map: addr Tunnel0-head-0, local 50.50.50.1

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (50.50.50.1/255.255.255.255/47/0) * thought I'd see the src and dst the telnet address *

    Remote ident (addr, mask, prot, port): (50.50.50.3/255.255.255.255/47/0)
    current_peer 50.50.50.3 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 14307, #pkts encrypt: 14307, #pkts digest: 14307
    #pkts decaps: 14286, #pkts decrypt: 14286, #pkts check: 14286
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 24, #recv errors 0

    local crypto endpt. : 50.50.50.1, remote Start crypto. : 50.50.50.3
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0/0
    current outbound SPI: 0x61D48BA8 (1641319336)

    SAS of the esp on arrival:
    SPI: 0x555FD9F (89521567)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 2037, flow_id: VPN:37 on board, card crypto: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4598507/3044)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x61D48BA8 (1641319336)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 2038, flow_id: VPN:38 on board, card crypto: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4598507/3033)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    Lab-branch1-rtr #.

    Lab-HQ-rtr #sh ip route
    C 50.50.50.0 is directly connected, Serial0/0/0
    172.22.0.0/16 is variably divided into subnets, 4 subnets, 2 masks
    C 172.22.3.1/32 is directly connected, Loopback0
    D 172.22.2.1/32 [90/2944000] via 192.168.254.2, 21:18:04, Tunnel0
    D 172.22.1.1/32 [90/2944000] via 192.168.254.1, 21:19, Tunnel0
    D 172.22.64.32/27 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    [90/2816256] via 192.168.254.1, 21:18:04, Tunnel0
    10.0.0.0/24 is divided into subnets, 5 subnets
    D 10.10.10.0 [90/2816256] via 192.168.254.1, 21:19, Tunnel0
    D 10.10.20.0 [90/2816256] via 192.168.254.1, 21:19, Tunnel0
    D 10.10.30.0 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    D 10.10.40.0 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    D 10.10.50.0 [90/2816256] via 192.168.254.1, 21:19:02, Tunnel0
    C 192.168.254.0/24 is directly connected, Tunnel0
    C 192.168.1.0/24 is directly connected, FastEthernet0/0

    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    50.50.50.3 50.50.50.2 QM_IDLE 1002 ASSETS 0
    50.50.50.3 50.50.50.1 QM_IDLE 1001 ASSETS 0

    Hi Andy,.

    DMVPN will use routing to control this traffic will be encrypted. You can add ACLs as the regular crypto-plan to specify the traffic of interest, but which is not must have.

    When the traffic leaving the router, it will do the routing research first; If the next hop points on your tunnel interface and the traffic is encapsulated and encrypted; If the next hop points to another interface, the traffic will leave the router without encryption.

    ISAKMP SAs are built between your tunnel end points, as see you in the output of "show isakmp crypto his." You can check the traffic was encrypted or not by looking at the
    #pkts program: 14307, #pkts encrypt: 14307, #pkts digest: 14307
    #pkts decaps: 14286, #pkts decrypt: 14286, #pkts check: 14286

    If you really want to see the package, you can EXTEND it to a monitor station traffic.

    HTH,

    Lei Tian

  • Issue of ACL:Technical DMVPN TUNNEL ENTERING to Expert

    Hello

    I have a problems with an access list configured by ENTERING the Tunnel routers (HUB1 and HUB2) HUB interface.

    I enclose a simple drawing of my configuration:drawing-Lab - Setup.Jpeg

    Let me quickly explain my setup:

    • I have configureddual HUB and layout DOUBLE DMVPN
    • The phase 3 of DMVPN is configured and I'm using EIGRP
    • All traffic passes (including Internet) by location of HUB
    • All rays are configured with FVRF and receive only a default route HUB routers
    • Talk to traffic talk is possible and can be restricted if necessary by setting up a route to null on rays router
    • HUB1 is the main router and HUB2 is the backup router

    Security requirements:

    • Rays access the Internet through a HUB, and are allowed to access HTTP, HTTPS, FTP, and ICMP
    • Rays can reach everything by the location of the hub

    In order to meet the requirements of security and simplify the configuration on the shelves, I thought that I could set up an inbound access list on the tunnel interface to HUB1 and HUB2. So like that every time I have add a new talk that I don't have to set up more lines in the config spoke. I enclose the access list that I have configured on HUB1 and HUB2 and also the configuration of the tunnel interface (only for HUB1, HUB 2 is the same).

    DMVPN-TunnelIN-Acl-and - TunnelConf.txt

    My isssue starts here. When I apply the access list that is called DMVPN_INSIDE_IN in the interface of tunne, rays can ping the location of the hub, no problem. The question is when a host talks try to access Internet (ping 192.168.100.2) in this case 200.200.200.200 (see drawing) the access list refuse the package by saying the following:

    % S 6-IPACCESSLOGDP: DMVPN_INSIDE_IN icmp 80.10.10.2-> 200.200.200.200 denied (8/0), list 1 packet

    But the firewall doesn't actually see the good address before being natted source:


    % SESS_AUDIT_TRAIL_START-6-FW: start session icmp: initiator (192.168.100.2:8) - answering machine (200.200.200.200:0)

    If I remove the access list everything works fine! It seems that the access list inspects the package after the NAT process. Actually sometimes works sometimes not. If I remove the access list and put it back again 192.168.100.2 can ping 200.200.200.200 without problem.

    While I don't understand, is how I can apply the access list to the tunnel interface? He's not leaving instead of INBOUND, wouldn't? I don't really understand the process of Cisco IOS here. How the read in this case Tunnel Interface?

    Any ideas what is going on here?

    Best regards

    Laurent

    Laurent,

    Seems to be related to the CEF, and then (at least for me not knowing too much about). No doubt now a valid contiguity is installed and it will work until it is removed from the FIB for some reason any.

    A good test would be to check if it will continue to work after you remove and add the cef or is just a minor issue with access lists.

    Marcin

  • DMVPN tunnel on a shelf (ADSL Internet access provider)

    Hello world

    I wonder if I can potentially use same value of pi and the same mtu size of ip tcp mss on the Tunnel interface and interface Fastethernet WAN on my DMVPN spoke routers? WAN interface is facing an ADSL modem provided by the ISP.

    That is something like:

    Interface FastEthernet 4

    IP 1400 MTU

    IP tcp adjust-mss 1360

    ....

    Interface Tunnel0

    IP 1400 MTU

    IP tcp adjust-mss 1360

    Will be this questions with fragmentation for DMVPN?

    Thank you!

    Yes the major impact is the fragmentation and so performance.

    I think what you describe is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.

    Think of it like this (this is a simplification, but I think as a fitting one).

    A 1400 bytes packat happens LAN, we perform the route search, he points through the tunnel interface. We carry out the audit, ' do we need to fragment this packet? The answer is 'no', because it is part of the MTU.

    We perform encapsulation (torn by the characteristics applied on the tunnel interface), adding the GRE + IPsec (header GRE, IPsec header and padding).

    Now, we take this encapsulated package and check routing post encapuslation, he'll call back via interface fa4.

    Don't the packets in the MTU of 1400 feet. 'No', we must fragmed if it is allowed.

  • Static - VPN Site to Site DMVPN Tunnel

    Hello

    I have two sites, Site-a with Cisco ASA 5505 static IP Configuration & Site-B 1841 Cisco ISR with dynamic IP Configuration.

    See the diagram attached for a glimpse.

    The goal is to have the tunnel VPN Site to Site between the site of two so that desktop sitting in Site B can access the server applications residing in the Site-A.

    Please suggest

    Concerning

    @Mohammed

    Hello

    A site to Site IPSec, the ASA is the static side and he should have the 'dynamic' configuration, and the side Dynamics SRI 1841 should have the static side:

    I'll give an example configuration to achieve, but you can use a different encryption algorithms:

    ASA 5505:

    Phase 1:

    crypto ISAKMP policy 1

    3des encryption

    md5 hash

    preshared authentication

    Group 2

     
    IPSec-attributes tunnel-group DefaultL2LGroup
    pre-shared-key cisco123
     
  • Tunnels of DMVPN causing 99% of the CPU on 2951

    See this issue today with a talk in India.  We have double double cloud hub and if each tunnel is up the spikes of CPU at 99% and the router starts to drop packets.  If I stopped the two tunnels, everything returns to normal, and I have no idea what could be the cause of this?  Something by pushing a large amount of data through the tunnels DMVPN?  Once I bring the backup tunnels I see EIGRP heartbeat constantly and the peaks of the processor immediately but nothing show me what is the cause of the problem.   If it's someone trying to push traffic between sites, he would show little matter what tunnel is on the rise because they are redundant, but I am at a loss.

    No changes to this router.  Any ideas?

    Stop DMVPN tunnel:

    CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 18% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process  88 46924 1768 26540 0.15% 0.11% 0.10% 0 Per-Second Jobs  107 48420 5072 9546 0.23% 0.19% 0.18% 0 Netclock Backgro  145 12028 116244 103 0.07% 0.10% 0.08% 0 Ethernet Msec Ti  458 11244 194180 57 0.39% 0.39% 0.35% 0 IP SLAs XOS Even 
    1 or two tunnels DVMPN upwards:
    CPU utilization for five seconds: 99%/97%; one minute: 51%; five minutes: 53% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process  88 46856 1418 33043 0.15% 0.11% 0.10% 0 Per-Second Jobs  107 48164 3691 13049 0.07% 0.15% 0.16% 0 Netclock Backgro  117 23784 2362 10069 0.15% 0.16% 0.11% 644 SSH Process  128 7040 33962 207 0.07% 0.06% 0.05% 0 SEC BATCH  145 12024 72842 165 0.07% 0.08% 0.08% 0 Ethernet Msec Ti  455 184752 1484 124495 0.38% 0.13% 0.24% 0 CFT Timer Proces  456 862876 2097 411481 0.54% 0.29% 0.40% 0 FNF Cache Ager P  458 11168 108909 102 0.07% 0.25% 0.23% 0 IP SLAs XOS Even ]

    you have high interruption that is causing the high CPU. Traffic will CPU...

    Make sure that the change of CEF is enabled on all interfaces.

    Visit this link for possible causes of high breaks...

    http://www.Cisco.com/c/en/us/support/docs/routers/7500-series-routers/41...

    Thank you

    Véronique

  • Load the DMVPN Balance several tunnels

    Try to balance 2 DMVPN tunnel to a remote router to our Central Administration site.   The remote router is a 2811 12.4.24 running.  It has two connections DSL and I built two tunnels DMVPN to my seat with each tunnel will a separate router.  I am running EIGRP across the WAN and LAN.   Please see attached drawing.

    When I put two routes by default equal and just let EIGRP to balance between router 180.7.250.1 to favour road and very little traffic crosses the 180.7.249.1 road.

    The reason why I try it is because this site is in kind of a remote and I can't get a 500KB to the top and 1.5 MB DSL circuit.  So to boost performance a bit I wanted to try running both circuits.

    I am open to suggestions or advice on how to get a little more bandwidth of this site.

    Thanks in advance.

    EIGRP metric are determined by the delay, bandwidth, reliability and support. You have the same router, the same tunnel interface. All the interfaces involved in eigrp must match exactly the same if you want to balance the load across it. See how composites represent different below. If you can make them match your traffic balance the load.

  • Tunnel DMVPN is establishing is not - a wrong address PNDH

    I am trying to establish a DMVPN tunnel a new router that move us in a remote location. We already have a hub and several other remote sites that work properly. I can ping everywhere on another remote site, but I do not see the correct address appears when I do a 'show dmvpn.' Also the SA does not appear when I do a "show isakmp crypto his.".

    UARouter #show dmvpn

    Legend: Attrb--> S - static, D - dynamic, I - incomplete

    Local N - using a NAT, L-, X - no Socket

    # Ent--> entries number of the PNDH with same counterpart NBMA

    State of the NHS: E--> RSVPs, R--> answer, W--> waiting

    UpDn time--> upward or down time for a Tunnel

    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details

    Type: talk, PNDH peers: 1,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

    ----- --------------- --------------- ----- -------- -----

    1 63.162.52.254 172.19.1.1 UP 1d10h S

    Then I do a ping on a remote machine.

    UARouter #ping 192.168.2.40 loopback source 5

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 192.168.2.40, wait time is 2 seconds:

    Packet sent with a source address of 192.168.12.254

    !!!!!

    Success rate is 100 per cent (5/5), round-trip min/avg/max = 352/353/356 ms

    UARouter #show dmvpn

    Legend: Attrb--> S - static, D - dynamic, I - incomplete

    Local N - using a NAT, L-, X - no Socket

    # Ent--> entries number of the PNDH with same counterpart NBMA

    State of the NHS: E--> RSVPs, R--> answer, W--> waiting

    UpDn time--> upward or down time for a Tunnel

    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details

    Type: talk, PNDH peers: 1,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

    ----- --------------- --------------- ----- -------- -----

    2 63.162.52.254 172.19.1.1 UP 1d10h S

    172.19.1.2 UP TO 00:00:32

    It does not seem to resolve on the real peer NBMA Address 203.98.212.254, but rather fixed to the hub.

    UARouter #show ip nh

    UARouter #show ip PNDH bis

    Target Via NBMA Mode claimed Intfc

    172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static<  >

    172.19.1.2/32 172.19.1.2 63.162.52.254 dynamic Tu0<  >

    UARouter #show cry isa his

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    63.162.52.254 109.237.82.114 QM_IDLE 1003 ACTIVE

    Here is the result of a different router that works.

    TaiwanRTR #show dmvpn

    Legend: Attrb--> S - static, D - dynamic, I - incomplete

    Local N - using a NAT, L-, X - no Socket

    # Ent--> entries number of the PNDH with same counterpart NBMA

    State of the NHS: E--> RSVPs, R--> answer

    UpDn time--> upward or down time for a Tunnel

    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details

    Type: talk, PNDH peers: 8.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

    ----- --------------- --------------- ----- -------- -----

    1 63.162.52.254 172.19.1.1 UP 1w4d S

    1 203.98.212.254 D 1w4d 172.19.1.2

    TaiwanRTR #show ip PNDH bis

    Target Via NBMA Mode claimed Intfc

    172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static<  >

    172.19.1.2/32 172.19.1.2 203.98.212.254 dynamic Tu0<  >

    Here's the DMVPN configs. They are identical except for the ip address and the fact that I can not use the command no ip mroute-cache because it is not recommended on the new router because we use a newer IOS. I also use the interface directly instead of looping. The closure on the TawainRTR is a public IP address.

    Router AU

    interface Tunnel0

    bandwidth 1000

    IP 172.19.1.12 255.255.255.0

    no ip redirection

    IP 1400 MTU

    the PNDH IP authentication

    property intellectual PNDH card 172.19.1.1 63.162.52.254

    map of PNDH IP multicast 63.162.52.254

    PNDH 1000000 IP network ID.

    property intellectual PNDH holdtime 600

    property intellectual PNDH nhs 172.19.1.1

    IP tcp adjust-mss 1360

    delay of 1000

    QoS before filing

    source of tunnel GigabitEthernet0/0

    multipoint gre tunnel mode

    tunnel key 100000

    Shared protection ipsec DMVPN tunnel profile

    TaiwanRTR

    interface Tunnel0

    bandwidth 1000

    IP 172.19.1.6 255.255.255.0

    no ip redirection

    IP 1400 MTU

    the PNDH IP authentication

    property intellectual PNDH card 172.19.1.1 63.162.52.254

    map of PNDH IP multicast 63.162.52.254

    PNDH 1000000 IP network ID.

    property intellectual PNDH holdtime 600

    property intellectual PNDH nhs 172.19.1.1

    IP tcp adjust-mss 1360

    no ip mroute-cache

    delay of 1000

    source of Loopback2 tunnel

    multipoint gre tunnel mode

    tunnel key 100000

    Shared protection ipsec DMVPN tunnel profile

    end

    On both devices, we use the same crypto map parameters. We use certificates instead of pre-shared keys.

    crypto ISAKMP policy 1

    BA 3des

    ISAKMP crypto keepalive 10

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    transport mode

    !

    Profile of crypto ipsec DMVPN

    Set transform-set RIGHT

    Does anyone have ideas, what could happen?

    Here is the my DMVPN router ACL...

    10 licences of everything esp (22214502 matches)

    20 permit udp any any eq isakmp (375 matches)

    30 permit udp any any eq non500-isakmp

    40 permits all icmp (40005 matches)

    Works 100% for me.

    I will note, my line 20 has been ' permit udp any isakmp eq all isakmp eq ' but I found when my routers were behind the devices from the source don't would not 500 and things didn't work so I had to open it.

  • DMVPN PPPoe MTU

    Hello

    I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.

    When I do a ping on the spoker to the hub like this:

    ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.

    Spoker newspaper I have this message:

    % DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination

    I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success

    But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?

    I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...

    Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.

    Thank you

    MTU must be set on the interface of tunnel for the hubs and spockes.

    If you want to save bits, you can even use transport mode instead of tunnel of fashion.

    Thank you

    PS: Please do not forget to rate and score as good response if this solves your problem

  • DMVPN problem with 2 hubs

    Hello

    I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.

    command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.

    A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.

    What should be the reason and how to fix it?

    Sorry for my English, I'm new to dmvpn :)

    Thanks in advance.

    Hi George,.

    I see two possible event which would explain the behavior that you are experiencing.

    (a) change of State DMVPN.

    (b) change in the routing table.

    You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him.  To begin, you must make sure that the DMVPN stay in a stable 'up' State.

    You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.

    I suggest to consult a few details of useful troubleshooting here:

    http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...

    Take a look at these details:

    ~~~

    Interface: Tunnel100, IPv4 PNDH details
    Type: talk, PNDH peers: 2,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
    ----- --------------- --------------- ----- -------- -----
    1 192.168.1.1 172.28.1.1 UP 1d21h S
    1 192.168.1.2 172.28.1.2 UP 1d21h S

    ~~~

    You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.

    If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.

    If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable.  "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.

    There is a lot of support in my suggestions, because you have not posted the configuration :).

    But it would be useful that you post the config.  Good luck with your efforts.

    Thank you

    re775

  • DMVPN initiator / responder

    I want to use DHCP on the physical interface of my routers spoke of my broadband provider. Since the address can change what can do to make sure that the hub is an answering machine and the rays are the initiator of the DMVPN tunnel?

    Rays: 2900

    Hub: ASR1002

    Hey,.

    until the DMVPN hub is not configured as static TIV, destination of source and tunnel that is specific tunnel is not configured on the hub, the initiator will always talked.

    the purpose of having a dmvpn tunnel is so that everything speaks can connect to the platform (given the rays are configured to connect to the platform) without having to specifically set the ip address to speak it on the hub. As a result, the tunnel was always initiated by him were talking.

    Please see the document for further explanation below:

    The router has spoken at startup, it automatically triggered the IPsec tunnel with the hub router as described above. It then uses PNDH to notify the hub from its current physical interface IP router.

    http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

Maybe you are looking for

  • Mouse Touchpad not scrolling

    I have a HP Envy spectrum 13t: 2000 updated the week last to Windows 8 (64-bit). I reinstalled the driver of Synpatics several times (finally understood how to stop the automatic updates of windows), but I can still use the scrolling feature on the r

  • Failure of the Validation of WSDL (Web Services)

    I want to create a Service-Based Web Application in LabVIEW and I'm trying to go through the steps in the tutorial http://zone.ni.com/devzone/cda/tut/p/id/4728. I tried the following web services, but I still get the same error. http://coeservice.en.

  • Photosmart 6520 e: change the paper setting

    How can I change the setting to plain paper photo paper?

  • Window updates fail

    Hello I tried pretty much everything I could find on how fix the window updates failed.  So far, nothing has worked.  I'd be willing to try a second or even a third time with solutions if someone is willing to help.  Updates, download and install.  B

  • RV016 site-to-site with Netgear FVS318N does not connect

    I am completely dumbfounded about this.  Everything is even defined as a unit existing of Netgear FVS124G-which replaces the FVS318N.  Each option is completely identical.  It connects very well to other endpoints Netgear points, but not the rv016s.