Issue of ACL:Technical DMVPN TUNNEL ENTERING to Expert

Hello

I have a problems with an access list configured by ENTERING the Tunnel routers (HUB1 and HUB2) HUB interface.

I enclose a simple drawing of my configuration:drawing-Lab - Setup.Jpeg

Let me quickly explain my setup:

  • I have configureddual HUB and layout DOUBLE DMVPN
  • The phase 3 of DMVPN is configured and I'm using EIGRP
  • All traffic passes (including Internet) by location of HUB
  • All rays are configured with FVRF and receive only a default route HUB routers
  • Talk to traffic talk is possible and can be restricted if necessary by setting up a route to null on rays router
  • HUB1 is the main router and HUB2 is the backup router

Security requirements:

  • Rays access the Internet through a HUB, and are allowed to access HTTP, HTTPS, FTP, and ICMP
  • Rays can reach everything by the location of the hub

In order to meet the requirements of security and simplify the configuration on the shelves, I thought that I could set up an inbound access list on the tunnel interface to HUB1 and HUB2. So like that every time I have add a new talk that I don't have to set up more lines in the config spoke. I enclose the access list that I have configured on HUB1 and HUB2 and also the configuration of the tunnel interface (only for HUB1, HUB 2 is the same).

DMVPN-TunnelIN-Acl-and - TunnelConf.txt

My isssue starts here. When I apply the access list that is called DMVPN_INSIDE_IN in the interface of tunne, rays can ping the location of the hub, no problem. The question is when a host talks try to access Internet (ping 192.168.100.2) in this case 200.200.200.200 (see drawing) the access list refuse the package by saying the following:

% S 6-IPACCESSLOGDP: DMVPN_INSIDE_IN icmp 80.10.10.2-> 200.200.200.200 denied (8/0), list 1 packet

But the firewall doesn't actually see the good address before being natted source:


% SESS_AUDIT_TRAIL_START-6-FW: start session icmp: initiator (192.168.100.2:8) - answering machine (200.200.200.200:0)

If I remove the access list everything works fine! It seems that the access list inspects the package after the NAT process. Actually sometimes works sometimes not. If I remove the access list and put it back again 192.168.100.2 can ping 200.200.200.200 without problem.

While I don't understand, is how I can apply the access list to the tunnel interface? He's not leaving instead of INBOUND, wouldn't? I don't really understand the process of Cisco IOS here. How the read in this case Tunnel Interface?

Any ideas what is going on here?

Best regards

Laurent

Laurent,

Seems to be related to the CEF, and then (at least for me not knowing too much about). No doubt now a valid contiguity is installed and it will work until it is removed from the FIB for some reason any.

A good test would be to check if it will continue to work after you remove and add the cef or is just a minor issue with access lists.

Marcin

Tags: Cisco Security

Similar Questions

  • DMVPN tunnel

    Hello world

    I have a few question about DMVPN

    I have a working router hub-and-spoke configuration is. router poke there are configuration on DMVPN tunnel as tunnel source loopback 1. Loopback IP address 1 is 32 10.253.20.X the LAN subnet is 10.168.X.X/24.

    I want to know why we give source Loopback 1 Tunnel and not the local network subnet.

    What is the use of the following commands and these optional commands.

    • PNDH network IP-2000 id
    • tunnel key 100000
    • and tunnel source loopback 1 or ip address

    Also I would like to know if it is possible to tunnel DMVPN configuration between two router or ASA and ASA with version 8.2 or 7.2?

    Thanks a million in advance

    See you soon

    Deepak Khemani

    Hi deepak,

    the command no ipsec nat-transparency udp-program encryption doesn't make use of tcp (default port 10 000) rather than UDP for transaprency nat.

    Other commands creates a cryptographic card to protect the outbound interface.

    Essentially in the encryption card, you have the destination peer (isakmp peers) and the ACL to match traffic to protect.

    In your case, it seems the card encryption protect the GRE Tunnel.

    I believe this because you work encapsultate GRE Tunnel in an IPSEC tunnel, but that causes a lot of overhead.

    I would you recommend that you create an ipsec profile and applies it to the VTI interface, because even if you can make a card encryption with a dmvpn normally, the administration won't be as easy.

    just quick crypto cards vs ipsec vti orders

    Crypto map

    Crypto ipsec transform-set esp - aes ts1

    access-list 100 permit ip src dst

    card crypto map1 10

    defined peer X.X.X.X

    Set of transformation ts1

    ...

    int X/X

    card crypto map1

    now with the vti (assuming that... are already configured in tunnel mode/dest/source)

    Crypto ipsec transform-set esp - aes ts1

    Crypto ipsec profile pf1

    Set of transformation pf1 set

    int tun0

    protection of profile pf1 ipsec tunnel

    I hope this helps.

    Please mark as she answered and/or rate if that will answer your questions

  • Is this a DMVPN tunnel before directed broadcasts?

    Hi people.

    We had a problem interesting in one of our shelves in our DMVPN network.

    The RADIUS 2811, its process was 98% with the entrance of property intellectual process taking 98%.

    Of netflow, I saw many broadcasts led through tun4 which is a dmvpn tunnel.

    SrcIf SrcIPaddress DstIf DstIPaddress Pr PCDR as Pkts
    FA0/0 169.254.29.148 Tu4 169.254.255.255 11 0089 0089 9136
    FA0/0 169.254.220.230 Tu4           169.254.255.255 11 0089 0089 1935
    FA0/0 169.254.153.196 Tu4           169.254.255.255 0089 0089 11 14 K

    the 169.254.X.X address is free windows configured when a pc is unable to obtain an IP address.

    the configuration of the tunnel is like that and I wonder if, because of the "property intellectual PNDH multicast ' forwards all multicast and broadcast over the tunnel traffic.

    Is this the case?

    interface Tunnel4
    bandwidth 2048
    address IP X.X.X.X 255.255.252.0
    no ip redirection
    IP 1400 MTU
    penetration of the IP stream
    property intellectual PNDH authentication xxxxx
    property intellectual PNDH card A.A.A.A. B.B.B.B
    map of PNDH IP multicast B.B.B.B
    PNDH id network IP-100003
    property intellectual PNDH holdtime 600
    property intellectual PNDH nhs Y.Y.Y.Y
    registration of the PNDH non-unique IP
    property intellectual shortened PNDH
    the PNDH IP forwarding
    load-interval 30
    QoS before filing
    source of Loopback4 tunnel
    multipoint gre tunnel mode
    tunnel key 100003
    backup tunnel ipsec protection profile

    Hi Rick, thanks for the note :)

    Hi George,.

    Another solution is to create the static route for null point 0 for these unwanted traffic.

    Kind regards

    Lei Tian

  • DMVPN tunnel stand

    Hello, I need to change the IP address of the hub. The only way to join the rays is through the tunnel.

    Action plan has been to change the PNDH cards on the shelves first, then finally to change the public IP address of hubs. It did not work, because the tunnels still remain standing and keep the 'old' IP address.

    I added ISKMP KeepAlive, PNDH holdtime tunnel and tunnel keepalive. but without success.

    The only way to get the rays accepting the new IP address, is to close, without closing the tunnel. But this cuts my own branch.

    Question: Is - that someone knows a way, which allows DMVPN tunnel realizes a loss of connection, PNDH clear cache and rebuild a tunnel to a new destination without having to restart rays?

    Thank you and best regards Peter

    Peter,

    Thank you for responding and let me know. I appreciate it.

    See you soon

    Gilbert

  • DMVPN Tunnel and EIGRP routing problem

    I have redundant paths to a remote 2811 router on my network of sites.  The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

    I'm under EIGRP to my process of routing protocol 100 for the two links.

    I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site.  The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

    However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

    What I'm missing here?

    A tunnel0 to see the shows the following:

    Tunnel0 is up, line protocol is up
    Material is Tunnel
    The Internet address is 10.x.x.x/24
    MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    KeepAlive not set
    Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
    Tunnel/GRE/IP transport protocol
    Key 0x186A0, sequencing of the people with reduced mobility
    Disabled packages parity check
    TTL 255 tunnel
    Quick tunneling enabled
    Tunnel of transmission bandwidth 8000 (Kbps)
    Tunnel to receive 8000 (Kbps) bandwidth
    Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
    Last entry of 00:00:01, exit ever, blocking of output never
    Final cleaning of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
    Strategy of queues: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bps, 0 packets/s
    5 minute output rate 0 bps, 0 packets/s
    packages of 880, 63000 bytes, 0 no buffer entry
    Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
    errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
    output of 910 packages, 81315 bytes, 0 underruns
    0 output errors, 0 collisions, 0 resets interface
    unknown protocol 0 drops
    output buffer, the output buffers 0 permuted 0 failures

    Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

    Federico.

  • Proof of encryption for the DMVPN Tunnel

    I've been setting up VPN for a short time and Im trying to get a better

    understanding of mechanics.

    I configured DMVPN between a router HQ and two branches. Im running eigrp between routers by gre tunnel interfaces. I can see neighbors eigrp via the tunnel which is good. The part is Im trying to understand, I have not created any ACL and I seem to form relationships neighbor eigrp in the tunnels. If I ping or telnet from the HQ router to one of the branches, I assume that Im going through the tunnel and the traffic is encrypted. I would like to be able to prove and to see evidence.

    I have to have ACL is configured to tell the router what to encrypt? Or the fact that the tunnel has a profile applied crypto doesn't take care of it?

    I did a test and telneted from Headquarters to Division 1 to aid private addresses that were sent through the tunnel and then entered the command

    SH crypto ipsec his. My telnet source address is the closure of the router which is 172.22.3.1 I though I'd see 172.22.3.1 or 172.22.1.1 in the out command has turned down and I do not have that make me wonder if the traffic is being encryption. Maybe my configs are incorrect or I need a different show command?

    I have attached my router configs also. If someone could help understand me a little more it would be appreciated.

    Andy

    Lab-HQ-rtr #telnet 172.22.1.1 it's Branch1rtr
    172.22.1.1 by train... Open

    User access audit

    Username: andrewb
    Password:

    Lab-branch1-rtr #sh crypto ipsec his

    Interface: Tunnel0
    Tag crypto map: addr Tunnel0-head-0, local 50.50.50.1

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (50.50.50.1/255.255.255.255/47/0) * thought I'd see the src and dst the telnet address *

    Remote ident (addr, mask, prot, port): (50.50.50.3/255.255.255.255/47/0)
    current_peer 50.50.50.3 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 14307, #pkts encrypt: 14307, #pkts digest: 14307
    #pkts decaps: 14286, #pkts decrypt: 14286, #pkts check: 14286
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 24, #recv errors 0

    local crypto endpt. : 50.50.50.1, remote Start crypto. : 50.50.50.3
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0/0
    current outbound SPI: 0x61D48BA8 (1641319336)

    SAS of the esp on arrival:
    SPI: 0x555FD9F (89521567)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 2037, flow_id: VPN:37 on board, card crypto: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4598507/3044)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x61D48BA8 (1641319336)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 2038, flow_id: VPN:38 on board, card crypto: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4598507/3033)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    Lab-branch1-rtr #.

    Lab-HQ-rtr #sh ip route
    C 50.50.50.0 is directly connected, Serial0/0/0
    172.22.0.0/16 is variably divided into subnets, 4 subnets, 2 masks
    C 172.22.3.1/32 is directly connected, Loopback0
    D 172.22.2.1/32 [90/2944000] via 192.168.254.2, 21:18:04, Tunnel0
    D 172.22.1.1/32 [90/2944000] via 192.168.254.1, 21:19, Tunnel0
    D 172.22.64.32/27 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    [90/2816256] via 192.168.254.1, 21:18:04, Tunnel0
    10.0.0.0/24 is divided into subnets, 5 subnets
    D 10.10.10.0 [90/2816256] via 192.168.254.1, 21:19, Tunnel0
    D 10.10.20.0 [90/2816256] via 192.168.254.1, 21:19, Tunnel0
    D 10.10.30.0 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    D 10.10.40.0 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    D 10.10.50.0 [90/2816256] via 192.168.254.1, 21:19:02, Tunnel0
    C 192.168.254.0/24 is directly connected, Tunnel0
    C 192.168.1.0/24 is directly connected, FastEthernet0/0

    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    50.50.50.3 50.50.50.2 QM_IDLE 1002 ASSETS 0
    50.50.50.3 50.50.50.1 QM_IDLE 1001 ASSETS 0

    Hi Andy,.

    DMVPN will use routing to control this traffic will be encrypted. You can add ACLs as the regular crypto-plan to specify the traffic of interest, but which is not must have.

    When the traffic leaving the router, it will do the routing research first; If the next hop points on your tunnel interface and the traffic is encapsulated and encrypted; If the next hop points to another interface, the traffic will leave the router without encryption.

    ISAKMP SAs are built between your tunnel end points, as see you in the output of "show isakmp crypto his." You can check the traffic was encrypted or not by looking at the
    #pkts program: 14307, #pkts encrypt: 14307, #pkts digest: 14307
    #pkts decaps: 14286, #pkts decrypt: 14286, #pkts check: 14286

    If you really want to see the package, you can EXTEND it to a monitor station traffic.

    HTH,

    Lei Tian

  • IPsec DMVPN tunnel mode

    "Front of Cisco IOS release 12.3 (6) and 12.3 (7) T, for the spoke routers participate in a DMVPN network, they had to use tunnel mode IPSec." is indicated in the following doc:

    http://CCO/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html#wp1085369

    But I tried the mode of transport, he sees work very well. I use 12.2 (15) T. is it supposed to work? If not, why?

    Thank you

    The restriction you are referring is only in the case of your shelves DMVPN is behind NAT devices. If they are not behind NAT devices they can use a tunnel or transport mode correctly.

  • DMVPN tunnel on a shelf (ADSL Internet access provider)

    Hello world

    I wonder if I can potentially use same value of pi and the same mtu size of ip tcp mss on the Tunnel interface and interface Fastethernet WAN on my DMVPN spoke routers? WAN interface is facing an ADSL modem provided by the ISP.

    That is something like:

    Interface FastEthernet 4

    IP 1400 MTU

    IP tcp adjust-mss 1360

    ....

    Interface Tunnel0

    IP 1400 MTU

    IP tcp adjust-mss 1360

    Will be this questions with fragmentation for DMVPN?

    Thank you!

    Yes the major impact is the fragmentation and so performance.

    I think what you describe is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.

    Think of it like this (this is a simplification, but I think as a fitting one).

    A 1400 bytes packat happens LAN, we perform the route search, he points through the tunnel interface. We carry out the audit, ' do we need to fragment this packet? The answer is 'no', because it is part of the MTU.

    We perform encapsulation (torn by the characteristics applied on the tunnel interface), adding the GRE + IPsec (header GRE, IPsec header and padding).

    Now, we take this encapsulated package and check routing post encapuslation, he'll call back via interface fa4.

    Don't the packets in the MTU of 1400 feet. 'No', we must fragmed if it is allowed.

  • Static - VPN Site to Site DMVPN Tunnel

    Hello

    I have two sites, Site-a with Cisco ASA 5505 static IP Configuration & Site-B 1841 Cisco ISR with dynamic IP Configuration.

    See the diagram attached for a glimpse.

    The goal is to have the tunnel VPN Site to Site between the site of two so that desktop sitting in Site B can access the server applications residing in the Site-A.

    Please suggest

    Concerning

    @Mohammed

    Hello

    A site to Site IPSec, the ASA is the static side and he should have the 'dynamic' configuration, and the side Dynamics SRI 1841 should have the static side:

    I'll give an example configuration to achieve, but you can use a different encryption algorithms:

    ASA 5505:

    Phase 1:

    crypto ISAKMP policy 1

    3des encryption

    md5 hash

    preshared authentication

    Group 2

     
    IPSec-attributes tunnel-group DefaultL2LGroup
    pre-shared-key cisco123
     

  • PIX led to the issue of ACL conversion

    In a simple 3 legs PIX Setup with a single conduit allowing access from the outside of a DMZ host and no restrictions on traffic inside for external connections; How convert leads him to an ACL on the external interface, which will allow the outside to traffic to DMZ host, without a showdown of the return traffic from the inside to the outside connections?

    David

    Hi David -.

    Leo did a great job of answering your exact configuration.

    Let's look at the ASA - algorithm Adaptive State - which is at the heart of the pix for more details to respond to your questions above.

    We scroll a scenario-

    1 - packet is received on an interface

    2 is part of package of existing stream?

    Yes - accept the package and pass it on.

    No - continue through this routine

    3 - ACL exists on the interface?

    Yes - treat against ACL

    No - go to step 5

    4 - Pack of process against the ACL on the interface.

    Permitted by the ACL - traffic and create the State

    Denied by the ACL - drop and log in if necessary

    5 - since there is no ACL and there is no State, use the levels of security associated with the interfaces to determine behavior.

    Interface from upper to lower?

    Yes - permits and establishing State

    No - Drop and log if necessary

    The example above does not take account of appropriate translations that need to be configured.

    I'll get a more detailed example of the behaviour ASA on CCO.

    Give me your thoughts on the above.

    Thank you

    Peter

  • ASA by the issue of authentication of the tunnel-group

    Is it possible to do so by the tunnel-group authentication on ASA 8.4.x?

    Here are the scenarios:

    (1) tunnel-group_A performs authentication using the digital certificate (PKI)

    (2) tunnel-group_B performs the authentication using AAA (RSA SecurID token)

    (3) tunnel-group_C performs authentication for LOCAL assistance (AAA user defined locally)

    Tunnel-group_A, B, and C are all using the same physical interface and outside the interface.

    I tested it, but it doesn't work the way I expected.  BTW, I have already disabled "interface authentication ssl certificate outside of port 443"

    Here are the results of the tests:

    If the tunnel group_A is configured with the certificate, then tunnel_group_B connection will fail, but connection tunnel-group_C works very well.

    It seems that tunnel-group_B trying to authenticate with certificate too, if she does not.  BTW, it seems to authenticate to the LOCAL help will still work.

    I understand that you can configure tunnel_group_A to "both" certificate and AAA, but that's not what I want.

    Anyone seen this before?  Is there a way to bypass?

    Thank you

    Joe,

    Yes, I would then use Group-url. And I would create and profile of XML with the specific URL in the list of servers.

    List of servers

    Let me know.

  • Tunnels of DMVPN causing 99% of the CPU on 2951

    See this issue today with a talk in India.  We have double double cloud hub and if each tunnel is up the spikes of CPU at 99% and the router starts to drop packets.  If I stopped the two tunnels, everything returns to normal, and I have no idea what could be the cause of this?  Something by pushing a large amount of data through the tunnels DMVPN?  Once I bring the backup tunnels I see EIGRP heartbeat constantly and the peaks of the processor immediately but nothing show me what is the cause of the problem.   If it's someone trying to push traffic between sites, he would show little matter what tunnel is on the rise because they are redundant, but I am at a loss.

    No changes to this router.  Any ideas?

    Stop DMVPN tunnel:

    CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 18% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process  88 46924 1768 26540 0.15% 0.11% 0.10% 0 Per-Second Jobs  107 48420 5072 9546 0.23% 0.19% 0.18% 0 Netclock Backgro  145 12028 116244 103 0.07% 0.10% 0.08% 0 Ethernet Msec Ti  458 11244 194180 57 0.39% 0.39% 0.35% 0 IP SLAs XOS Even
    1 or two tunnels DVMPN upwards:
    CPU utilization for five seconds: 99%/97%; one minute: 51%; five minutes: 53% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process  88 46856 1418 33043 0.15% 0.11% 0.10% 0 Per-Second Jobs  107 48164 3691 13049 0.07% 0.15% 0.16% 0 Netclock Backgro  117 23784 2362 10069 0.15% 0.16% 0.11% 644 SSH Process  128 7040 33962 207 0.07% 0.06% 0.05% 0 SEC BATCH  145 12024 72842 165 0.07% 0.08% 0.08% 0 Ethernet Msec Ti  455 184752 1484 124495 0.38% 0.13% 0.24% 0 CFT Timer Proces  456 862876 2097 411481 0.54% 0.29% 0.40% 0 FNF Cache Ager P  458 11168 108909 102 0.07% 0.25% 0.23% 0 IP SLAs XOS Even ]

    you have high interruption that is causing the high CPU. Traffic will CPU...

    Make sure that the change of CEF is enabled on all interfaces.

    Visit this link for possible causes of high breaks...

    http://www.Cisco.com/c/en/us/support/docs/routers/7500-series-routers/41...

    Thank you

    Véronique

  • Tunnel DMVPN is establishing is not - a wrong address PNDH

    I am trying to establish a DMVPN tunnel a new router that move us in a remote location. We already have a hub and several other remote sites that work properly. I can ping everywhere on another remote site, but I do not see the correct address appears when I do a 'show dmvpn.' Also the SA does not appear when I do a "show isakmp crypto his.".

    UARouter #show dmvpn

    Legend: Attrb--> S - static, D - dynamic, I - incomplete

    Local N - using a NAT, L-, X - no Socket

    # Ent--> entries number of the PNDH with same counterpart NBMA

    State of the NHS: E--> RSVPs, R--> answer, W--> waiting

    UpDn time--> upward or down time for a Tunnel

    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details

    Type: talk, PNDH peers: 1,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

    ----- --------------- --------------- ----- -------- -----

    1 63.162.52.254 172.19.1.1 UP 1d10h S

    Then I do a ping on a remote machine.

    UARouter #ping 192.168.2.40 loopback source 5

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 192.168.2.40, wait time is 2 seconds:

    Packet sent with a source address of 192.168.12.254

    !!!!!

    Success rate is 100 per cent (5/5), round-trip min/avg/max = 352/353/356 ms

    UARouter #show dmvpn

    Legend: Attrb--> S - static, D - dynamic, I - incomplete

    Local N - using a NAT, L-, X - no Socket

    # Ent--> entries number of the PNDH with same counterpart NBMA

    State of the NHS: E--> RSVPs, R--> answer, W--> waiting

    UpDn time--> upward or down time for a Tunnel

    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details

    Type: talk, PNDH peers: 1,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

    ----- --------------- --------------- ----- -------- -----

    2 63.162.52.254 172.19.1.1 UP 1d10h S

    172.19.1.2 UP TO 00:00:32

    It does not seem to resolve on the real peer NBMA Address 203.98.212.254, but rather fixed to the hub.

    UARouter #show ip nh

    UARouter #show ip PNDH bis

    Target Via NBMA Mode claimed Intfc

    172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static<  >

    172.19.1.2/32 172.19.1.2 63.162.52.254 dynamic Tu0<  >

    UARouter #show cry isa his

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    63.162.52.254 109.237.82.114 QM_IDLE 1003 ACTIVE

    Here is the result of a different router that works.

    TaiwanRTR #show dmvpn

    Legend: Attrb--> S - static, D - dynamic, I - incomplete

    Local N - using a NAT, L-, X - no Socket

    # Ent--> entries number of the PNDH with same counterpart NBMA

    State of the NHS: E--> RSVPs, R--> answer

    UpDn time--> upward or down time for a Tunnel

    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details

    Type: talk, PNDH peers: 8.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb

    ----- --------------- --------------- ----- -------- -----

    1 63.162.52.254 172.19.1.1 UP 1w4d S

    1 203.98.212.254 D 1w4d 172.19.1.2

    TaiwanRTR #show ip PNDH bis

    Target Via NBMA Mode claimed Intfc

    172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static<  >

    172.19.1.2/32 172.19.1.2 203.98.212.254 dynamic Tu0<  >

    Here's the DMVPN configs. They are identical except for the ip address and the fact that I can not use the command no ip mroute-cache because it is not recommended on the new router because we use a newer IOS. I also use the interface directly instead of looping. The closure on the TawainRTR is a public IP address.

    Router AU

    interface Tunnel0

    bandwidth 1000

    IP 172.19.1.12 255.255.255.0

    no ip redirection

    IP 1400 MTU

    the PNDH IP authentication

    property intellectual PNDH card 172.19.1.1 63.162.52.254

    map of PNDH IP multicast 63.162.52.254

    PNDH 1000000 IP network ID.

    property intellectual PNDH holdtime 600

    property intellectual PNDH nhs 172.19.1.1

    IP tcp adjust-mss 1360

    delay of 1000

    QoS before filing

    source of tunnel GigabitEthernet0/0

    multipoint gre tunnel mode

    tunnel key 100000

    Shared protection ipsec DMVPN tunnel profile

    TaiwanRTR

    interface Tunnel0

    bandwidth 1000

    IP 172.19.1.6 255.255.255.0

    no ip redirection

    IP 1400 MTU

    the PNDH IP authentication

    property intellectual PNDH card 172.19.1.1 63.162.52.254

    map of PNDH IP multicast 63.162.52.254

    PNDH 1000000 IP network ID.

    property intellectual PNDH holdtime 600

    property intellectual PNDH nhs 172.19.1.1

    IP tcp adjust-mss 1360

    no ip mroute-cache

    delay of 1000

    source of Loopback2 tunnel

    multipoint gre tunnel mode

    tunnel key 100000

    Shared protection ipsec DMVPN tunnel profile

    end

    On both devices, we use the same crypto map parameters. We use certificates instead of pre-shared keys.

    crypto ISAKMP policy 1

    BA 3des

    ISAKMP crypto keepalive 10

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    transport mode

    !

    Profile of crypto ipsec DMVPN

    Set transform-set RIGHT

    Does anyone have ideas, what could happen?

    Here is the my DMVPN router ACL...

    10 licences of everything esp (22214502 matches)

    20 permit udp any any eq isakmp (375 matches)

    30 permit udp any any eq non500-isakmp

    40 permits all icmp (40005 matches)

    Works 100% for me.

    I will note, my line 20 has been ' permit udp any isakmp eq all isakmp eq ' but I found when my routers were behind the devices from the source don't would not 500 and things didn't work so I had to open it.

  • Limitation with the number of entries in a Tunnel of Split ACL

    Hey Cisco community!

    I am facing a problem with a Cisco hub and spoke to the solution.

    We have 2 Hubs (Cisco 7200-2 for redudancy). All clients have a RADIUS (Cisco 881). The rays are 24/24 reported the 2 hubs (2 dmvpn tunnel) to give us access to our monitoring and support equipment.

    Each talk have a NAT table with a specific NAT range for each talk. That way, we can reach every devices with a single IP address within the VPN.

    For example:

    -Spoke_001 have a range of IP NAT 10.80.0.0 255.255.254.0

    -Spoke_002 have a range of IP NAT 10.80.2.0 255.255.254.0

    ...

    To connect to hubs with our mobile phones, we use the Cisco VPN client. We have different profiles created in the regional centres:

    -Profile Admin with an ACL that allow connectivity with each talk

    -Integrator profiles: which allow connectivity to an integrator to some defined rays.

    So the integrating profile looks like this in the hub

    Configuration group customer crypto isakmp [NAME]

    Touch [password]

    [domain]

    pool [NAME]

    ACL [NAME_VPN_Split]

    !

    Profile of crypto isakmp [NAME]

    Profile of clients VPN Description Group [NAME]

    identity group match [NAME]

    list of authentication of client VPN_Client_AUTHEN

    VPN_Client_AUTHOR of ISAKMP authorization list.

    client configuration address respond

    IP local pool [NAME]...

    And the relationship of this group access list:

    [NAME_VPN_Split] extended IP access list

    IP 10.82.20.0 allow 0.0.1.255 all

    IP 10.82.24.0 allow 0.0.1.255 all

    IP 10.81.238.0 allow 0.0.1.255 all

    IP 10.82.4.0 allow 0.0.1.255 all

    IP 10.82.44.0 allow 0.0.1.255 all

    IP 10.81.242.0 allow 0.0.1.255 all

    ...

    In the access list, we can modify the subnets to reduce the number of entries, but some groups should have access to a spoke with the NAT IP range that we can summarize in 1 line (see example)

    The question we have is: when we have more than 50 entries in the ACL, 51st entry does not work:

    -Customer VPN does not receive the road to this network, the road is not added on the connected PC

    -Even if the road is added manually on the PC, the 51st network ACL is not accessible.

    Do you know why there is a limit of 50 entries in a tunnel "Split ACL?

    Do you know if there is a solution to avoid this problem?

    The problem is that if we can summarize an ACL in less than 50 lines, we will have to create a second profile and know wich one to use for the network that... Not really a good solution.

    Thanks in advance!

    Version:

    ROM: System Bootstrap, T3 Version 12.3 (4r), RELEASE SOFTWARE (fc1)

    BOOTLDR: 7200 (C7200-KBOOT-M), Version 12.3 software (15), VERSION of the SOFTWARE (fc3)

    System image file is "disk2:c7200 - advsecurityk9 - mz.151 - 4.M2.bin.

    Yes, there is a strict limit of 50 split tunnel ACL entries when you set it by using the old-fashioned way of VPN configuration (ie: card crypto).

    If you use dynamic TIV to configure, then you have no limitation for ACL split tunnel.

    Here is an example configuration for dynamic configuration of VTI:

    http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_vpnips/configuration/15-Mt/sec-IPSec-virt-tunnl.html#GUID-E9EB4518-6269-42E8-908C-57BA5D6334A5

    Hope that answers your question.

  • DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X

    Hello world

    After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came.

    Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session " on the shelf often solves the problem. So, it seems that the question has something to do with IPSEC.

    When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub:

     Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):purging node 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:41 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP: set new node 3442686097 to QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 3442686097 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3442686097, sa = 0x7F72986867D0 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): DPD/R_U_THERE_ACK received from peer , sequence 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):deleting node 3442686097 error FALSE reason "Informational (in) state 1" Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:42 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A438 Jun 25 10:01:42 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:42 SUMMERT: ISAKMP:(46580):purging node 1111296046 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 928225319 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing SA payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Checking IPSec proposal 1 Jun 25 10:01:44 SUMMERT: ISAKMP: transform 1, ESP_AES Jun 25 10:01:44 SUMMERT: ISAKMP: attributes in transform: Jun 25 10:01:44 SUMMERT: ISAKMP: encaps is 2 (Transport) Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in seconds Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (basic) of 3600 Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in kilobytes Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 25 10:01:44 SUMMERT: ISAKMP: authenticator is HMAC-SHA Jun 25 10:01:44 SUMMERT: ISAKMP: key length is 256 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):atts are acceptable. Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local  /255.255.255.255/0, remote  /255.255.255.255/0, prot 47, ifc Tu3300 Jun 25 10:01:44 SUMMERT: IPSEC(recalculate_mtu): reset sadb_root 7F7292E64990 mtu to 1500 Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending Socket Ready message Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NONCE payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):QM Responder gets spi Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer  Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating profile-shared Tunnel3300 ident 7F7298B2BF80 with lookup_oce 7F7296BF5440 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x14F40C56(351538262), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27873 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x3B4731D7(994521559), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27874 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Received IPSec Install callback... proceeding with the negotiation Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Successfully installed IPSEC SA (SPI:0x14F40C56) on Tunnel3300 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 1979798297 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 1979798297 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 351538262, message ID = 1979798297, sa = 0x7F72986867D0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): deleting spi 351538262 message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 928225319 error TRUE reason "Delete Larval" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):peer does not do paranoid keepalives. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x3B4731D7) Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 1979798297 error FALSE reason "Informational (in) state 1" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:44 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A340 Jun 25 10:01:44 SUMMERT: IPSEC(key_engine_delete_sas): delete SA with spi 0x3B4731D7 proto 50 for  Jun 25 10:01:44 SUMMERT: IPSEC(update_current_outbound_sa): updated peer  current outbound sa to SPI 0 Jun 25 10:01:44 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending request for CRYPTO SS CLOSE SOCKET

     #sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112

    In addition, after you run "logging dmvpn rate-limit 20' on the hub

     %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:  NBMA: )

    On the talks both the following can be seen debugging as well:

     *Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.884: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.884: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Jun 25 09:17:26.884: ISAKMP:(1032):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Jun 25 09:17:26.940: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032): processing HASH payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032): processing SA payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032):Checking IPSec proposal 1 *Jun 25 09:17:26.940: ISAKMP: transform 1, ESP_AES *Jun 25 09:17:26.940: ISAKMP: attributes in transform: *Jun 25 09:17:26.940: ISAKMP: encaps is 2 (Transport) *Jun 25 09:17:26.940: ISAKMP: SA life type in seconds *Jun 25 09:17:26.940: ISAKMP: SA life duration (basic) of 3600 *Jun 25 09:17:26.940: ISAKMP: SA life type in kilobytes *Jun 25 09:17:26.940: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 25 09:17:26.940: ISAKMP: authenticator is HMAC-SHA *Jun 25 09:17:26.940: ISAKMP: key length is 256 *Jun 25 09:17:26.940: ISAKMP:(1032):atts are acceptable. *Jun 25 09:17:26.940: IPSEC(ipsec_process_proposal): proxy identities not supported *Jun 25 09:17:26.940: ISAKMP:(1032): IPSec policy invalidated proposal with error 32 *Jun 25 09:17:26.940: ISAKMP:(1032): phase 2 SA policy not acceptable! (local  remote ) *Jun 25 09:17:26.940: ISAKMP: set new node -1745931191 to QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 834718720, message ID = 2549036105 *Jun 25 09:17:26.940: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.940: ISAKMP:(1032):purging node -1745931191 *Jun 25 09:17:26.940: ISAKMP:(1032):deleting node 1599359281 error TRUE reason "QM rejected" *Jun 25 09:17:26.940: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 25 09:17:26.940: ISAKMP:(1032):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1 *Jun 25 09:17:34.068: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:34.068: ISAKMP: set new node 1021264821 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032): processing HASH payload. message ID = 1021264821 *Jun 25 09:17:34.072: ISAKMP:(1032): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1021264821, sa = 0x32741028 *Jun 25 09:17:34.072: ISAKMP:(1032):deleting node 1021264821 error FALSE reason "Informational (in) state 1" *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:34.072: ISAKMP:(1032):DPD/R_U_THERE received from peer , sequence 0x64B2279D *Jun 25 09:17:34.072: ISAKMP: set new node 716440334 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 834719464, message ID = 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032): seq. no 0x64B2279D *Jun 25 09:17:34.072: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:34.072: ISAKMP:(1032):purging node 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:35.356: ISAKMP:(1032):purging node 206299144

    Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken?

    Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug?

    The configuration of the hub looks like this:

     crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 3 periodic crypto isakmp nat keepalive 10 crypto isakmp profile ISP1-DMVPN keyring ISP1-DMVPN match identity address 0.0.0.0 ISP1-DMVPN keepalive 10 retry 3 crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile ISP1-DMVPN set transform-set AES256-SHA AES256-SHA-TRANSPORT set isakmp-profile ISP1-DMVPN vrf definition ISP1-DMVPN description DMVPN-Outside-ISP1 rd 65527:10 ! address-family ipv4 exit-address-family ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.71 description VPN;ISP1-DMVPN;Outside;VLAN71 encapsulation dot1Q 71 vrf forwarding ISP1-DMVPN ip address  255.255.255.128 no ip proxy-arp ip access-group acl_ISP1-DMVPN_IN in ! ip route vrf ISP1-DMVPN 0.0.0.0 0.0.0.0  name ISP1;Default ip access-list extended acl_ISP1-DMVPN_IN permit icmp any any permit esp any host  permit gre any host  permit udp any host  eq isakmp permit udp any host  eq non500-isakmp deny ip any any vrf definition 2010  description CUSTA - Customer A  rd 65527:2010 route-target export 65527:2010 route-target import 65527:2010 ! address-family ipv4 exit-address-family ! ! interface Tunnel2010 description CUSTA;DMVPN;Failover-secondary vrf forwarding 2010 ip address 10.97.0.34 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map multicast dynamic ip nhrp network-id 2010 ip nhrp holdtime 120 ip nhrp server-only ip nhrp max-send 1000 every 10 ip tcp adjust-mss 1340 tunnel source TenGigabitEthernet0/0/0.71 tunnel mode gre multipoint tunnel key 2010 tunnel vrf ISP1-DMVPN tunnel protection ipsec profile ISP1-DMVPN shared router bgp 65527 ! address-family ipv4 vrf 2010 redistribute connected metric 10 redistribute static metric 15 neighbor 10.97.0.39 remote-as 65028 neighbor 10.97.0.39 description spokerouter;Tunnel1 neighbor 10.97.0.39 update-source Tunnel2010 neighbor 10.97.0.39 activate neighbor 10.97.0.39 soft-reconfiguration inbound neighbor 10.97.0.39 prefix-list EXPORT-IVPN-VRF2010 out neighbor 10.97.0.39 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.39 maximum-prefix 5000 80 default-information originate exit-address-family

    Configuring spoke:

     crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp invalid-spi-recovery crypto isakmp profile DMVPN01 keyring DMVPN01 match identity address 0.0.0.0 keepalive 10 retry 3 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN01 set transform-set AES256-SHA-TRANSPORT set isakmp-profile DMVPN01 vrf definition inside rd 65028:1 route-target export 65028:1 route-target import 65028:1 ! address-family ipv4 exit-address-family ! interface Tunnel1 description DMVPN to HUB vrf forwarding inside ip address 10.97.0.39 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map 10.97.0.33  ip nhrp map multicast  ip nhrp map 10.97.0.34  ip nhrp map multicast  ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 10.97.0.33 ip nhrp nhs 10.97.0.34 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1340 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 2010 tunnel protection ipsec profile DMVPN01 shared router bgp 65028 ! address-family ipv4 vrf inside bgp router-id 172.28.5.137 network 10.97.20.128 mask 255.255.255.128 network 10.97.21.0 mask 255.255.255.0 network 10.97.22.0 mask 255.255.255.0 network 10.97.23.0 mask 255.255.255.0 network 172.28.5.137 mask 255.255.255.255 neighbor 10.97.0.33 remote-as 65527 neighbor 10.97.0.33 description HUB1;Tunnel2010 neighbor 10.97.0.33 update-source Tunnel1 neighbor 10.97.0.33 timers 10 30 neighbor 10.97.0.33 activate neighbor 10.97.0.33 send-community both neighbor 10.97.0.33 soft-reconfiguration inbound neighbor 10.97.0.33 prefix-list IROUTE-EXPORT out neighbor 10.97.0.33 maximum-prefix 5000 80 neighbor 10.97.0.34 remote-as 65527 neighbor 10.97.0.34 description HUB2;tunnel2010 neighbor 10.97.0.34 update-source Tunnel1 neighbor 10.97.0.34 timers 10 30 neighbor 10.97.0.34 activate neighbor 10.97.0.34 send-community both neighbor 10.97.0.34 soft-reconfiguration inbound neighbor 10.97.0.34 prefix-list IROUTE-EXPORT out neighbor 10.97.0.34 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.34 maximum-prefix 5000 80 exit-address-family

    If more information is needed, please say so.

    Any help or advice would be greatly appreciated!

    Thank you!

    It is possible that you touch it--the failure of negotiations of phase 2:

    https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr

    [Too little detail to say with certainty:]

    M.

Maybe you are looking for