DMVPN without PNDH

Similar Questions

• DMVPN without IPsec

  Hi all

  Is the operation of DMVPN without IPsec configuration supported?

  I'm testing it right now and hubs are losing conncetivity to rays. I wonder if it is because of not using IPsec.

  Anyone tried this?

  Attila

  I guess you meant PNDH. If so look at the http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080435815.html

• DMVPN and PNDH

  Hi friends,

  I would like to ask questions about your opinions.

  Looking at a package of PNDH Traffic Indication in the section of the Extension of PNDH authentication-> Unit Extension Data, that I can see, there is a Source address field and as a value, there is always 99.105.115.99.

  Please, see the attached screenshot.

  Could someone give any idea what is this source address and why there is always the same value and significance of this value.

  Thank you!

  Best regards

  Yavor

  Ahh :) Well well good job your problem! Also, thank you for taking the time to come back and post the solution here. (+ 5 from me).

  Now, given that your issue is resolved, you must mark the thread as "answered" ;)

• DMVPN - record PNDH, IPsec

  Hi all

  I was wondering if rays PNDH entries must be processed by the hub before the tunnel IPsec may form between the hub and the spokes.

  Any ideas will be appreciated.

  Thank you

  David Lai

  David,

  PNDH and IPSec go hand in hand.

  Infact the first IPSec packets to be exchanged between the spokes and hubs are PNDH records and recording answers.

  Once PNDH successful registration, routing neighborships come and you'll have full connectivity between Hub and Spoke.

  Avinash.

• DMVPN, PNDH: What certification cisco?

  Hi all

  I want to know that DMVPN and PNDH reports to which cisco certification?

  Eve.

  Hello

  It is the CCIE Security.

  https://learningnetwork.Cisco.com/docs/doc-5273

  There will be a link which gives the review program.

  I hope this helps.

  Kind regards

  Anisha.

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

• PNDH Cache problem

  I have a DMVPN without IPSEC configuration. My one hub is connected to 10 rays through pure WILL and I'm running OSPF. I put my holdtime PNDH = 5 minutes. When 5 minutes idle time is passed, I'm doing a show ip PNDH and find that the connection has expired remains still in the cache as below:

  tunnel created 05:15, expired

  The cache is in conformity with the provisions only disappear at 6 minutes. If I do a ping between 5 and 6 minutes test, query time-out is obtained. My ping test begins to become the positive response that after 6 minutes where the cache is in conformity with the provisions is removed and replaced with a new one as shown below:

  tunnel created 0:05 expiring 04:55

  How to make the cache disappear immediately for 5 minutes so that I have lost connection for 1 minutes, it is between 5 and 6 minutes?

  Thank you very much.

  The problem is documented as bug CSCdy45826. You should probably upgrade to the version where this problem has been fixed.

• P - P WILL link

  Hello

  I want to route a public rate range IP from one provider to another spinal column of suppliers. I want to deliver this range statically through a GRE tunnel.

  However, point final (Talk client) is only DYNAMIC IP PUBLIC address.

  Is it possible to create a tunnel between the two sites, which is dynamic, the other static and where I can deliver a range of IP addresses through this tunnel if does not know the end point IP spoke?

  Thank you!

  Have you looked at DMVPN (a hub and a spoken)?

  DMVPN uses PNDH to rays of form on the fly. The HUB has no need to know the public rays IP address during Setup. The public IP / Tunnel of the hub are hard coded in the spoke (s). Once that happens the RADIUS registers on the hub dynamically (using the PNDH Protocol).

  Concerning

  Farrukh

• Anti-replay window size

  Hello
  We would like to increase the size of the protection window anti-replay on our routers ISR connected to ASR using DMVPN. On the SERP, I can use up to 1024, but ASR only limited to 512.
  I wonder if I can set up two sizes of different windows on SRI - 1024 and ASR - 512, connected to each other via DMVPN, without implications/issues. (I think 512 should be sufficient for the side of the ASR but SRI would need more).

  Thank you!

  Yes you can have sizes of separate windows anit-replay - the check is local and is only done in the inbound direction.

  Now what you might want to remember that allows this feature implies not existing connections will begin using the new windows immediately.

• DMVPN PNDH question

  I have a phase 2 network with routers spoke about 40 and routers DMVPN hub double. 90% of this works very well. However, I have 3 or 4 of the spoke routers that are unable to communicate with each other directly (traffic is via the router hub between these specific sites) but they are able to coomunicate directly with other routers 35 or more. I think it's a question of PNDH, as when I show in detail PNDH ip on one of these 4 routers, 3 other routers present a (without plug) input. I am able to erase that 'sometimes' by Claire ip PNDH. Whenever the (not scoket) input y at - he speaks of talking communication does not work. Any help would be greatly appreciated.

  Have you checked this CSCsw18019 bug

  Communication of talking - talking about passing THE by hub if PNDH cache authors.

• Tunnel DMVPN is establishing is not - a wrong address PNDH

  I am trying to establish a DMVPN tunnel a new router that move us in a remote location. We already have a hub and several other remote sites that work properly. I can ping everywhere on another remote site, but I do not see the correct address appears when I do a 'show dmvpn.' Also the SA does not appear when I do a "show isakmp crypto his.".

  UARouter #show dmvpn

  Legend: Attrb--> S - static, D - dynamic, I - incomplete

  Local N - using a NAT, L-, X - no Socket

  # Ent--> entries number of the PNDH with same counterpart NBMA

  State of the NHS: E--> RSVPs, R--> answer, W--> waiting

  UpDn time--> upward or down time for a Tunnel

  ==========================================================================

  Interface: Tunnel0, IPv4 PNDH details

  Type: talk, PNDH peers: 1,.

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

  ----- --------------- --------------- ----- -------- -----

  1 63.162.52.254 172.19.1.1 UP 1d10h S

  Then I do a ping on a remote machine.

  UARouter #ping 192.168.2.40 loopback source 5

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.2.40, wait time is 2 seconds:

  Packet sent with a source address of 192.168.12.254

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 352/353/356 ms

  UARouter #show dmvpn

  Legend: Attrb--> S - static, D - dynamic, I - incomplete

  Local N - using a NAT, L-, X - no Socket

  # Ent--> entries number of the PNDH with same counterpart NBMA

  State of the NHS: E--> RSVPs, R--> answer, W--> waiting

  UpDn time--> upward or down time for a Tunnel

  ==========================================================================

  Interface: Tunnel0, IPv4 PNDH details

  Type: talk, PNDH peers: 1,.

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

  ----- --------------- --------------- ----- -------- -----

  2 63.162.52.254 172.19.1.1 UP 1d10h S

  172.19.1.2 UP TO 00:00:32

  It does not seem to resolve on the real peer NBMA Address 203.98.212.254, but rather fixed to the hub.

  UARouter #show ip nh

  UARouter #show ip PNDH bis

  Target Via NBMA Mode claimed Intfc

  172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static<  >

  172.19.1.2/32 172.19.1.2 63.162.52.254 dynamic Tu0<  >

  UARouter #show cry isa his

  IPv4 Crypto ISAKMP Security Association

  DST CBC conn-State id

  63.162.52.254 109.237.82.114 QM_IDLE 1003 ACTIVE

  Here is the result of a different router that works.

  TaiwanRTR #show dmvpn

  Legend: Attrb--> S - static, D - dynamic, I - incomplete

  Local N - using a NAT, L-, X - no Socket

  # Ent--> entries number of the PNDH with same counterpart NBMA

  State of the NHS: E--> RSVPs, R--> answer

  UpDn time--> upward or down time for a Tunnel

  ==========================================================================

  Interface: Tunnel0, IPv4 PNDH details

  Type: talk, PNDH peers: 8.

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

  ----- --------------- --------------- ----- -------- -----

  1 63.162.52.254 172.19.1.1 UP 1w4d S

  1 203.98.212.254 D 1w4d 172.19.1.2

  TaiwanRTR #show ip PNDH bis

  Target Via NBMA Mode claimed Intfc

  172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static<  >

  172.19.1.2/32 172.19.1.2 203.98.212.254 dynamic Tu0<  >

  Here's the DMVPN configs. They are identical except for the ip address and the fact that I can not use the command no ip mroute-cache because it is not recommended on the new router because we use a newer IOS. I also use the interface directly instead of looping. The closure on the TawainRTR is a public IP address.

  Router AU

  interface Tunnel0

  bandwidth 1000

  IP 172.19.1.12 255.255.255.0

  no ip redirection

  IP 1400 MTU

  the PNDH IP authentication

  property intellectual PNDH card 172.19.1.1 63.162.52.254

  map of PNDH IP multicast 63.162.52.254

  PNDH 1000000 IP network ID.

  property intellectual PNDH holdtime 600

  property intellectual PNDH nhs 172.19.1.1

  IP tcp adjust-mss 1360

  delay of 1000

  QoS before filing

  source of tunnel GigabitEthernet0/0

  multipoint gre tunnel mode

  tunnel key 100000

  Shared protection ipsec DMVPN tunnel profile

  TaiwanRTR

  interface Tunnel0

  bandwidth 1000

  IP 172.19.1.6 255.255.255.0

  no ip redirection

  IP 1400 MTU

  the PNDH IP authentication

  property intellectual PNDH card 172.19.1.1 63.162.52.254

  map of PNDH IP multicast 63.162.52.254

  PNDH 1000000 IP network ID.

  property intellectual PNDH holdtime 600

  property intellectual PNDH nhs 172.19.1.1

  IP tcp adjust-mss 1360

  no ip mroute-cache

  delay of 1000

  source of Loopback2 tunnel

  multipoint gre tunnel mode

  tunnel key 100000

  Shared protection ipsec DMVPN tunnel profile

  end

  On both devices, we use the same crypto map parameters. We use certificates instead of pre-shared keys.

  crypto ISAKMP policy 1

  BA 3des

  ISAKMP crypto keepalive 10

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  transport mode

  !

  Profile of crypto ipsec DMVPN

  Set transform-set RIGHT

  Does anyone have ideas, what could happen?

  Here is the my DMVPN router ACL...

  10 licences of everything esp (22214502 matches)

  20 permit udp any any eq isakmp (375 matches)

  30 permit udp any any eq non500-isakmp

  40 permits all icmp (40005 matches)

  Works 100% for me.

  I will note, my line 20 has been ' permit udp any isakmp eq all isakmp eq ' but I found when my routers were behind the devices from the source don't would not 500 and things didn't work so I had to open it.

• is it possible to run DMVPN on 7606 without ipsec module?

  Hi everyone, we have 7606 router without any module ipsec on it, so I check the ios and there orders in the tunnel of the interface for the dmvpn tunnel multipoint configuration and protection for ipsec also profile! So I have this question: can they run dmvpn between this router and our wan routers are 3845 that im not worry theme (because they can of course)? Thanks in advance.

  Hello

  6500 and 7600 do not support IPsec VPN without VPN SPA or VPNSM (announced EOL), with the exception of access to the administration (long ago)

  It is documented here:

  http://www.Cisco.com/en/us/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html#wp1089276

  I would say, save yourself the trouble and effort :-)

  Marcin

• DMVPN - PSK to Auth RSA - Sig move

  Hi all

  I'm moving a laboratory DMVPN config PSK has the use of certificates.

  Installed root CA + certificates without problem.

  I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce speaks talks about but I am receiving and error on the hub "x.x.x.x IKE message failed the validation test or is incorrect.

  the problem disappears if I remove the ISAKMP policy in the hub, he returns to the original policy of the PSK. I checked the correspondence of policies a million times and the certificates are installed properly.

  I have included some of the config below. Policy 10 works very well.

  any help appreciated. Thank you

  -Hub-
  crypto ISAKMP policy 5
  BA aes
  md5 hash
  !
  crypto ISAKMP policy 10
  md5 hash
  preshared authentication
  ISAKMP crypto key address 0.0.0.0 xxxxxxxxxxxxxxxxxx
  !
  !
  Crypto ipsec transform-set esp-3des esp-md5-hmac hand
  tunnel mode
  !
  Profile of crypto ipsec ProfileName
  define security-association life seconds 900
  transformation-home game
  !
  !
  !
  !
  !
  !
  !
  interface Tunnel0
  bandwidth 20480
  IP x.x.x.x 255.255.255.0
  no ip redirection
  IP 1400 MTU
  NBAR IP protocol discovery
  penetration of the IP stream
  IP nat inside
  property intellectual PNDH authentication Auth
  dynamic multicast of IP PNDH map
  PNDH IP network id ID
  IP virtual-reassembly in
  No cutting of the ip horizon
  IP tcp adjust-mss 1300
  CDP enable
  source of tunnel Dialer
  multipoint gre tunnel mode
  tunnel key X
  Profile of tunnel ProfileName ipsec protection
  -Speaks-
  crypto ISAKMP policy 5
  BA aes
  md5 hash
  !
  crypto ISAKMP policy 10
  md5 hash
  preshared authentication
  ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0
  !
  !
  Crypto ipsec transform-set main esp-3des esp-md5-hmac
  tunnel mode
  !
  Profile of crypto ipsec IProfile
  define security-association life seconds 900
  Set main transformation game
  !
  !
  !
  !
  !
  !
  !
  interface Tunnel0
  IP x.x.x.x 255.255.255.0
  no ip redirection
  IP 1400 MTU
  IP nat inside
  property intellectual PNDH authentication Auth
  dynamic multicast of IP PNDH map
  property intellectual PNDH card x.x.x.x where x.x.x.x
  map of PNDH IP x.x.x.x multicast
  PNDH IP network id X
  property intellectual PNDH nhs x.x.x.x
  IP virtual-reassembly in
  No cutting of the ip horizon
  IP tcp adjust-mss 1300
  source of tunnel Dialer
  multipoint gre tunnel mode
  tunnel key X
  Profile of tunnel Iprofile ipsec protection

  Your certificates seem to be good. TGE of time is very important. Comes with service horodateurs time of the journal is your clock the ntp.

  When everything is set correctly in view, I would be very interested to get all debugs them.

  This question you have is based on the key or certificate not authencating together, coukd be mtu, could be something else.

  Would you mind to provide all debugs them and perhaps a trace of wireshark to see what is happening. Debugs isakmp, ipsec and certificates as well.

  Thank you

• DMVPN initiator / responder

  I want to use DHCP on the physical interface of my routers spoke of my broadband provider. Since the address can change what can do to make sure that the hub is an answering machine and the rays are the initiator of the DMVPN tunnel?

  Rays: 2900

  Hub: ASR1002

  Hey,.

  until the DMVPN hub is not configured as static TIV, destination of source and tunnel that is specific tunnel is not configured on the hub, the initiator will always talked.

  the purpose of having a dmvpn tunnel is so that everything speaks can connect to the platform (given the rays are configured to connect to the platform) without having to specifically set the ip address to speak it on the hub. As a result, the tunnel was always initiated by him were talking.

  Please see the document for further explanation below:

  The router has spoken at startup, it automatically triggered the IPsec tunnel with the hub router as described above. It then uses PNDH to notify the hub from its current physical interface IP router.

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

• invalid-spi-recovery crypto isakmp command worked well in the case of DMVPN

  Hello

  I did the Setup for Hub/spoke in th DMVPN case and it worked fine. But after reloading Hub and I saw an output of error below, well I added the command invalid-spi-recovery isakmp crypto in the Hub & spokes:

  * 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.3.1.3

  * 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.2.1.2

  Note: spoke1 IP address: 150.2.1.2/spoke2's IP address:150.3.1.3/Hub's IP address: 150.1.1.1

  My temporary solution for the same problem, I need to erase SPI by manually and it worked fine again.

  Everyone has the same problem, please let me know

  Kind regards

  TRAN

  Hello

  There is a common misconception of what the invalid-spi-recovery crypto isakmp command does. Even without this command IOS already performs a kind of recovery invalid SPI feature by sending a DELETION notify for the SA has received send peer If she already has an IKE SA with this peer. Still once, this happens regardless of whether the order invalid-spi-recovery crypto isakmp is enabled or not.

  With the order of isakmp crypto invalid-spi-recovery , he tries to regulate the condition where a router receives the IPSec traffic with invalid SPI and

  It doesn't have an IKE SA with this peer. In this case, it will try to put in place a new IKE session with the peer and then send a DELETION notification on the newly created HIS IKE. However, this command does not work in all configurations of crypto. Are the only configurations that this command works cryptographic instantiated, for example, Asit, and peer static maps from static cryptographic cards where the peer is defined explicitly. Here is a summary of commonly used configurations of crypto and know if invalid spi recovery works with this configuration or not:

  Crypto config	Not valid-spi-recovery?
  Static crypto map	YES
  Dynamic crypto map	NO.
  P2P GRE with TP	YES
  using love TP w / static PNDH mapping	YES
  using love TP w / dynamic PNDH mapping	NO.
  ASIT	YES
  EzVPN client	N/A

  For help with your scenario, you can enable DPD (isakmp crypto keepalive) on the shelf to help the recovery tunnel.

  Thank you

  Wen

• DMVPN tunnel stand

  Hello, I need to change the IP address of the hub. The only way to join the rays is through the tunnel.

  Action plan has been to change the PNDH cards on the shelves first, then finally to change the public IP address of hubs. It did not work, because the tunnels still remain standing and keep the 'old' IP address.

  I added ISKMP KeepAlive, PNDH holdtime tunnel and tunnel keepalive. but without success.

  The only way to get the rays accepting the new IP address, is to close, without closing the tunnel. But this cuts my own branch.

  Question: Is - that someone knows a way, which allows DMVPN tunnel realizes a loss of connection, PNDH clear cache and rebuild a tunnel to a new destination without having to restart rays?

  Thank you and best regards Peter

  Peter,

  Thank you for responding and let me know. I appreciate it.

  See you soon

  Gilbert