With DMVPN EIGRP

Similar Questions

• DMVPN - EIGRP Neighbors

  Hello

  I run a solution DMVPN mode double hub. I use EIGRP as Protocol routing between the hub and the spokes.

  I know that the gre is pain most of the time, but we have to live with that. Although I had neighbors talk about EIGRP

  stable for 8-9 weeks and other drop all the few weeks that I realized 2 days all EIGRP neighbors dropped simultaneously

  in the two centres.

  On each RADIUS, I run a phase commune 1 for the VPN, but different phase 2 of people who know well the DMVPN th know what I mean.

  HUBs located in different areas and it was not issue of bandwidth to assign the two hubs at the same time. Its really something

  with protocols that use the DMVPN or EIGRP.

  I saw DMVPN drops I saw only the EIGRP neighborship declined for all rays in both same time centers. Any suggestions

  Why EIGRP failed?

  It could be something with PNDH or an IOS bug;

  iOS c800-universalk9 - mz.spa.153 - 3.m.bin

  Please don't ask me basic troubleshooting, connectivity or timers. I'm looking for an advanced suggestion I have solved many problems DMVPN

  which cisco even could not find.

  I am looking forward to good suggestion and thank you for taking the time to consider the issue.

  Kind regards

  Spyros

  Hello

  «Do not forget that it is a design talk to speak.» Talk about communication talk goes staright away. DMVPN creates a dynamic tunnel between them and does not have the traffic via the HUB. »

  I think I disagree with you here cordially with these instructions next hop and split horizon of eigrp on shelves

  Rays set in fact tunnels between them however I'm being understood that the PNDH Rais of first need to query the cache of the PNDH server for the ip address of 'inside' to speak it it wants to connect to check the accessibility of the address of tunnel - I can't see or understand now why this requirement is also necessary on the rays.

  When you say adjacencies eigrp lowered at the same time - we are still not sure, this is due to some partial failure that has been found to ask, but I think for all rollover between hubs eigrp to work they must have potential successors then do these show upward in the topology tables? -Maybe you had a situation where the two hubs became State SIA and dropped?

  One last thing for a DWVPN mesh (talk to speaks) don't is not PKI is necessary and not pre-shared key and you say said cisco iOS has been or use cordially IPSec/gre is buggy what they suggest to make? As in your last post, you say that you sorted.

  RES
  Paul

  Sent by Cisco Support technique iPad App

• DMVPN problem with 2 hubs

  Hello

  I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.

  command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.

  A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.

  What should be the reason and how to fix it?

  Sorry for my English, I'm new to dmvpn :)

  Thanks in advance.

  Hi George,.

  I see two possible event which would explain the behavior that you are experiencing.

  (a) change of State DMVPN.

  (b) change in the routing table.

  You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him.  To begin, you must make sure that the DMVPN stay in a stable 'up' State.

  You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.

  I suggest to consult a few details of useful troubleshooting here:

  http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...

  Take a look at these details:

  ~~~

  Interface: Tunnel100, IPv4 PNDH details
  Type: talk, PNDH peers: 2,.

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
  1 192.168.1.1 172.28.1.1 UP 1d21h S
  1 192.168.1.2 172.28.1.2 UP 1d21h S

  ~~~

  You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.

  If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.

  If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable.  "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.

  There is a lot of support in my suggestions, because you have not posted the configuration :).

  But it would be useful that you post the config.  Good luck with your efforts.

  Thank you

  re775

• 10-20 Office Direction Design with 'Hub' DataCenter - DMVPN?

  Hi guys,.

  Looking for a technology to make the Branch Office LANs, private 10-20 (each with a single RFC 1918 24) and a private Data Center LAN "seem to" be connected directly.  For example a cabinet with computer 192.168.101.X could get the DNS, and to authenticate to a domain controller in the data center at 192.168.1.Z.

  The bandwidth to each branch is about 10 M terminal on a 2811.  The LAN has between 5-10 computers without a local domain controller.  Current technology uses static VPN tunnels constructed on the firewall behind the 2811.  A Public 29 CIDR block is routed to the 2811 for public IP address of the firewall.

  * East DMVPN on the 2811 s branch will be a good way to move the firewalls in this scenario?

  * If not, why and what would be better?

  * With DMVPN configured on the 2811, is it possible to simultaneously configure SSL VPN and EasyVPN for allow access remotely to any LAN of branch for remote staff?

  * Would it not possible - assuming that bandwidth is not a concern - to run a kind of virtual office from the data center to the Branches through the DMVPN?

  * If a 2811 is acceptable in the branches, what platform would be recommended for the data center?  The bandwidth available to it would be 100 m.

  Thank you!

  Greg

  Hi Greg,.

  A DMVPN is a good solution for you, as long as you have the bandwidth; What is sounds like you do. You can do this with any of the 2800 series routers. The thing to keep in mind is that VPN traffic takes a lot of time processor to encrypt and decrypt the package. Each of the 2800 series routers have a VPN that will help it unload the main processor.

  2811 to the branch should easily handle the functions of the 5 to 10 users. I have a config very similar to what you want with 8 remote offices through a DMVPN. Most of the branches ends on a 2811.

  I also have IPSEC or SSL VPN on remote sites; These can be run simultaneously. In the config of the DMVPN, you can choose whether or not to carry the VPN traffic between rays DMVPN.

  Connecting the locations of RDP connections runs easily the DMVPN. Speed of other services (file/printer sharing) will certainly depend on the bandwidth. If you want to authenticate remote offices to corporate domain controllers this traffic should also be taken into account.

  I would start with a router 3800/3900 series in the data center; This should easily handle the traffic that you suggest and make room for growth.

  I have attached a simple config with IPSEC/SSL VPN remote users for you. I hope this helps!

  Kind regards

  Sam

• DMVPN with invalid SPI recovery / DPD

  Dear Experts,

  I'm evaluating a networks of average design company DMVPN Phase 2 scope, trying to optimize the time of receovery after a failure and restoration of a DMVPN counterpart.

  1. I just spent through a PDF of Cisco Live at a workshop of 2011 named "Advanced Concepts of DMVPN - BRK 4052".

  It is said (without further explanation) that the invalid SPI recovery feature is not useful with DMVPN.

  Can anyone explain, why?

  2 DMVPN involves the use of the Tunnel (TP) Protection. I read the reviews that say that you can not use Dead Peer Detection (DPD) as well as the TP.

  Unlike these reviews, Cisco DMVPN V1.1 design guide recommends a configuration container:

  ISAKMP crypto keepalive 10

  That means, I have to use DPD, but without "periodicals" KeepAlive? If so, could you explain?

  Thank you very much!

  Dear Sebastian,

  1 SPI recovery means essentially that the answering router must meet the same initiator VPN router if the SPI was invalid, the response of the intervener would be an 'invalid' error to the initiator VPN.

  Why it is not recommended for DMVPN?

  Well, according to the previous description of SPI, imagine if someone upsets your router with rogue applications! with the resumption of active SPI, it means that your router would need to respond to all messages which he received with the message "Invalid Error", which basically means--> attack (Denial of Service Attack) back--> high CPU processing on your router.

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

  How is it that relates to DMVPN?

  Well! DMVPN is mainly deployed with large number of rays! and even if no one attacks you! your rays can attack you

  2. I don't think that having periodic KeepAlive is what we hear in the comments on demand or periodic KeepAlive is not really effect DMVPN.

  I don't know what are the comments you've read, but I think you can use DPD! There have been some incompatabilites filed for tunnel KeepAlive, but as far as I know, nothing major was filed against ISAKMP KeepAlive.

  HTH!

  AMatahen

• DMVPN with based remote access VPN client

  Hi all

  We DMVPN deployed to connect to our remote location now I want to configure the vpn remote access also with DMVPN tunnel so if somehow our DMVPN tunnel goes down we can connect to the router through vpn remote access client based around... I want experts to do the light on it is it possible or what are the technical challenges that I have to face in this regard.

  Thank you

  Salman Jamshed

  Hello Salman,

  It's 100% possible, there is no harm in having them both up on your router.

  In fact, as you have said that it will provide an extra layer of redundancy if by chance the DMVPN tunnel breaks down.

  That being said, you can go ahead and do it is a movement course

  Julio

• DMVPN PPPoe MTU

  Hello

  I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.

  When I do a ping on the spoker to the hub like this:

  ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.

  Spoker newspaper I have this message:

  % DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination

  I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success

  But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?

  I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...

  Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.

  Thank you

  MTU must be set on the interface of tunnel for the hubs and spockes.

  If you want to save bits, you can even use transport mode instead of tunnel of fashion.

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem

• On DMVPNs selective IPSec encryption

  Hello

  I have a DMVPN with two rays on a MPLS-L3-IPVPN network. IPSec over GRE profiles using crypto. Works very well. Now, he only need to encrypt all traffic except EF DSCP. Tried with the help of ACB defining IP-Next Hop for EF-packages and just normal dug routing for all other types of traffic.

  My question is, I know cryptographic cards that use ACLs can selectively encrypt traffic through the IPSec/GRE tunnels. Cryptographic profiles don't seem to have this feature. Is there another way to do this?

  A snip Config by couple spoke it as below.

  ===============

  interface GigabitEthernet0/0.1
  DESC LAN i / f
  IP 10.10.10.1 255.255.255.0
  political intellectual property map route ACB

  interface Tunnel100
  IP 172.16.254.13 255.255.254.0
  no ip redirection
  property intellectual PNDH card 172.16.254.1 103.106.169.10
  map of PNDH IP multicast 103.106.169.10
  PNDH network IP-1 id
  property intellectual PNDH nhs 172.16.254.1
  property intellectual shortened PNDH
  KeepAlive 10 3
  source of tunnel GigabitEthernet0/1.401
  multipoint gre tunnel mode
  key 1 tunnel
  Profile of tunnel DMVPN-Crypto ipsec protection
  end

  GIE Router 1
  no car
  NET 172.16.254.0 0.0.1.255
  EIGRP log-neighbor-warnings
  EIGRP log-neighbor-changes
  ! - router id
  NET 10.10.10.0 0.0.0.255

  ACB allowed 10 route map
  ACB match ip address
  IP 11.2.100.2 jump according to the value
  !
  ACB allowed 20 route map

  ACB extended IP access list
  permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
  allow icmp host 10.10.10.5 host 15.1.1.1 dscp 41
  deny ip any any newspaper

  ===============

  Note: the routing table contains only a default route learned via EIGRP. Thus, if the ACB 10 past, policy would transmit to the Next-hop (PE). Or would otherwise use 0/0 and route thro' the tunnel.

  Thanks in advance!

  See you soon
  Aravind

  With DMVPN, no.  You will need to return to the use of just cryptographic cards, only using access lists to control what is and is not encrypted.

  If the "EF" traffic was dedicated VoIP subnets so you would have more options, you can choose everything just don't not to route these subnets above the Tunnel.

• problem applying IPSEC to DMVPN

  Hi, I have a few problems with DMVPN

  I have configured the PNDH between a HUB and aSPOKE:

  HUB

  tU0 tu1

  |     |

  INTERNET SERVICE PROVIDER

  |

  tU0, tu1

  TALK

  the HUB has two physical interfaces and two logical interfaces.

  The RADIUS has a physical interface and two logical interfaces.

  in PNDH configured correctly, the tunnels are detected in the HUB and the SPOKES.

  When I add the IPSEC profile for the controls I lose tunnel1.

  SPOKE1 #sh ip PNDH

  10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire

  Type: static, flags: used by authority

  The NBMA Address: 190.1.1.1

  10.2.2.4/32 via 10.2.2.4 Tunnel1 created 02:18:21, never expire

  Type: static, flags: used by authority

  The NBMA Address: 190.1.2.1

  SPOKE1 #debug ip PNDH

  Tunnel0

  * 03:50:09.399 Mar 1: PNDH: try to send packages via DEST 10.1.1.4

  * 03:50:09.399 Mar 1: PNDH: Encapsulation succeeded.  Tunnel IP addr 190.1.1.1

  * 03:50:09.399 Mar 1: PNDH: send the registration request via Tunnel0 vrf 0, the packet size: 82

  * 03:50:09.403 Mar 1: CBC: 10.1.1.1, dst: 10.1.1.4

  * 03:50:09.403 Mar 1: PNDH: 82 bytes in Tunnel0

  * 03:50:09.519 Mar 1: PNDH: receive the response for registration via Tunnel0 vrf 0, the packet size: 102

  * 03:50:09.519 Mar 1: PNDH: netid_in = 0, to_us = 1

  tunnel 1

  * 03:50:30.575 Mar 1: PNDH: try to send packages via DEST 10.2.2.4

  * 03:50:30.575 Mar 1: PNDH: Encapsulation succeeded.  Tunnel IP addr 190.1.2.1

  * 03:50:30.575 Mar 1: PNDH: send the registration request via Tunnel1 vrf 0, the packet size: 82

  * 03:50:30.579 Mar 1: CBC: 10.2.2.1, dst: 10.2.2.4

  * 03:50:30.579 Mar 1: PNDH: 82 bytes to Tunnel1

  * 03:50:30.579 Mar 1: PNDH: reset retransmission due to the wait timer for 10.2.2.4

  no response from the HUB.

  HUB #sh ip PNDH

  10.1.1.1/32 through 10.1.1.1, 00:05:05 created Tunnel0, expire 00:08:29

  Type: dynamic, flags: single authority registered

  The NBMA Address: 191.1.1.11

  just tunnel0 is here!

  I also have it on the HUB:

  * 03:58:54.519 Mar 1: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 191.1.1.11 (physical address of the SPOKE1)

  configs:

  HUBS:

  !

  crypto ISAKMP policy 10

  BA aes

  md5 hash

  preshared authentication

  Group 2

  techservices key crypto isakmp address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac

  !

  Profile of crypto ipsec DMVPN

  game of transformation-AES_MD5

  !

  !

  interface Tunnel0

  bandwidth 10000

  10.1.1.4 IP address 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 123

  property intellectual PNDH authentication dmvpn1

  dynamic multicast of IP PNDH map

  PNDH id network IP-123

  no ip split horizon eigrp 123

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 123

  Protection ipsec DMVPN tunnel profile

  !

  Tunnel1 interface

  bandwidth 10000

  10.2.2.4 IP address 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 124

  property intellectual PNDH authentication dmvpn2

  dynamic multicast of IP PNDH map

  PNDH id network IP-124

  no ip split horizon eigrp 124

  source of tunnel FastEthernet1/0

  multipoint gre tunnel mode

  tunnel key 124

  Protection ipsec DMVPN tunnel profile

  !

  !

  Router eigrp 123

  Network 10.1.1.0 0.0.0.255

  network 172.16.4.0 0.0.0.255

  No Auto-resume

  !

  Router eigrp 124

  Network 10.2.2.0 0.0.0.255

  network 172.16.4.0 0.0.0.255

  No Auto-resume

  !

  SPOKE1:

  !

  crypto ISAKMP policy 10

  BA aes

  md5 hash

  preshared authentication

  Group 2

  techservices key crypto isakmp address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac

  !

  Profile of crypto ipsec DMVPN

  game of transformation-AES_MD5

  !

  !

  interface Tunnel0

  bandwidth 10000

  10.1.1.1 IP address 255.255.255.0

  IP 1400 MTU

  property intellectual PNDH authentication dmvpn1

  map of PNDH IP multicast 190.1.1.1

  map of PNDH 10.1.1.4 IP 190.1.1.1

  PNDH id network IP-123

  property intellectual PNDH holdtime 600

  property intellectual PNDH nhs 10.1.1.4

  property intellectual PNDH registration timeout 300

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 123

  Protection ipsec DMVPN tunnel profile

  !

  Tunnel1 interface

  bandwidth 10000

  10.2.2.1 IP address 255.255.255.0

  IP 1400 MTU

  property intellectual PNDH authentication dmvpn2

  map of PNDH IP multicast 190.1.2.1

  property intellectual PNDH 10.2.2.4 card 190.1.2.1

  PNDH id network IP-124

  property intellectual PNDH holdtime 600

  property intellectual PNDH nhs 10.2.2.4

  property intellectual PNDH registration timeout 300

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 124

  Protection ipsec DMVPN tunnel profile

  !

  !

  Router eigrp 123

  Network 10.1.1.0 0.0.0.255

  network 172.16.1.0 0.0.0.255

  No Auto-resume

  !

  Router eigrp 124

  Network 10.2.2.0 0.0.0.255

  network 172.16.1.0 0.0.0.255

  No Auto-resume

  !

  concerning

  Good to hear. Looks like it could be a timing problem. Recent releases logic for restart the timer recording during certain delays caused by the sequence of configuration has been added. Since you're using an old code that could be the reason why it worked after the reconfiguration of tunnel interface.

  F.F. make sure that assign you this thread has responded so he can help others.

• DMVPN w / multicast of installation/questions

  Hello

  I have a lot of questions, so bare with me as I vomit them out of my head.

  I did a few tests with DMVPN inconjuction with the multicast video (Star, w / none talking of talk). The test configuration uses 2 cisco 2811 w/out module vpn.  I understand the performance do not have the module. That being said, here are my questions.

  1. with the encryption on the HUB and spokes routers use 90-97% of the cpu (8 MB multicast stream).  With encryption off the coast, the Hub is about 60% and talked about 75%.  Here's where I'm confused.  If I send that same broadcast stream unicast, w / encryption, the hub and speaks using only about 30-35% cpu.  Why is it so much more cpu need when it comes to a multicast stream?

  2. in the current configuration, I entered, throttles and ignore the errors on the hub and the spokes.  The hub has these errors on the LAN interface and speaks has these errors on the WAN interface. All other interfaces are completely clean.  I checked and there is no duplex incompatibilities or speed.  Any ideas?

  HUBS:

  Current configuration: 1837 bytes

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  Hub host name

  !

  boot-start-marker

  boot-end-marker

  !

  forest-meter operation of syslog messages

  activate the password

  !

  No aaa new-model

  clock TimeZone Central - 6

  !

  dot11 syslog

  IP source-route

  !

  !

  IP cef

  !

  !

  no ip domain search

  8.8.8.8 IP name-server

  IP multicast routing

  No ipv6 cef

  !

  Authenticated MultiLink bundle-name Panel

  !

  voice-card 0

  !

  Archives

  The config log

  hidekeys

  !

  Tunnel1 interface

  bandwidth 100000

  192.168.11.1 IP address 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 1

  PIM sparse-mode IP

  dynamic multicast of IP PNDH map

  PNDH network IP-1 id

  property intellectual PNDH holdtime 450

  no ip-cache cef route

  IP tcp adjust-mss 1360

  no ip split horizon eigrp 1

  delay of 1000

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 100000

  bandwidth tunnel pass 100000

  bandwidth tunnel receive 100000

  !

  interface FastEthernet0/0 (WAN)

  IP address 216.x.x.x 255.255.255.192

  PIM sparse-mode IP

  load-interval 30

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1 (LAN)

  IP 128.112.64.5 255.255.248.0

  PIM sparse-mode IP

  load-interval 30

  automatic duplex

  automatic speed

  !

  Router eigrp 1

  network 128.112.0.0

  network 192.168.11.0

  Auto-resume

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 216.x.x.x

  IP http server

  local IP http authentication

  IP http secure server

  !

  !

  128.112.64.5 IP pim rp 10

  !

  access-list 10 permit 239.10.0.0 0.0.255.255

  public RO SNMP-server community

  !

  Speaks:

  Current configuration: 1857 bytes

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  host name talk

  !

  boot-start-marker

  boot-end-marker

  !

  forest-meter operation of syslog messages

  activate the password

  !

  No aaa new-model

  clock timezone central - 6

  !

  dot11 syslog

  IP source-route

  !

  !

  IP cef

  !

  !

  no ip domain search

  IP multicast routing

  No ipv6 cef

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  voice-card 0

  !

  Archives

  The config log

  hidekeys

  !

  Tunnel1 interface

  bandwidth 100000

  192.168.11.2 IP address 255.255.255.0

  no ip redirection

  IP 1400 MTU

  PIM sparse-mode IP

  property intellectual PNDH 192.168.11.1 card 216.x.x.x

  map of PNDH IP multicast 216.x.x.x

  PNDH network IP-1 id

  property intellectual PNDH holdtime 450

  property intellectual PNDH nhs 192.168.11.1

  no ip-cache cef route

  IP tcp adjust-mss 1360

  no ip split horizon eigrp 1

  delay of 1000

  source of tunnel FastEthernet0/0

  destination 216.x.x.x tunnel

  tunnel key 100000

  bandwidth tunnel pass 100000

  bandwidth tunnel receive 100000

  !

  interface FastEthernet0/0 (WAN)

  IP address 65.x.x.x 255.255.255.192

  PIM sparse-mode IP

  load-interval 30

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1 (LAN)

  IP 128.124.64.1 255.255.248.0

  PIM sparse-mode IP

  IP igmp join-group 239.10.10.10

  load-interval 30

  automatic duplex

  automatic speed

  !

  Router eigrp 1

  network 128.124.0.0

  network 192.168.11.0

  Auto-resume

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 65.x.x.x

  no ip address of the http server

  no ip http secure server

  !

  !

  128.112.64.5 IP pim rp 10

  !

  access-list 10 permit 239.10.0.0 0.0.255.255

  public RO SNMP-server community

  Joe,

  You ask the right question.

  Ultization CPU = CPU consumed by the process + IO operations (in a huge simplification - CEF)

  Usually when a package is processed by the router we expect to be treated by CEF, i.e. very quickly.

  Package is not processed by CEF:

  -When there is something missing to route the package properly (think entry ARP/CAM) that is additional research needs to be done.

  -a feature request that a packet is for transformation/deformation

  -The package is for the router

  (And many others, but these are the most important).

  When a package is recived, but cannot be treated by the CEC, we "punt to CPU package" this will cause in turn the CPU for the process to move upward.

  Now on the shelf, this seems to be the problem:

  Spoke#show ip cef switching stati
  Reason                          Drop       Punt  Punt2Host
  RP LES Packet destined for us             0       1723          0
  RP LES Encapsulation resource             0    1068275          0
  

  There are also some failures on an output buffer you set.

  Usually at this stage I would say:

  (1) ' upgrade' of the device to 15.0 (1) M6 or 12.4 (15) T (last picture in this branch) and check if the problem persists there.

  (2) If this is the case, rotate it by TAC. I don't see any obvious errors, but I'm just a guy on a Chair even as you ;-)

  Marcin

• DMVPN and VoIP

  Are there concerns using VoIP with DMVPN? How is managed quality of Service?

  Thank you for your participation.

  Dean,

  You guessed it! Remember to accept your answer as the answer ;)

  Thank you for participating in the dissemination on the Web today, please feel free to post any questions here or in the Ask the Expert wire.

  -Frank

• DMVPN or GETVPN

  Team - we have a client that runs GET VPN over MPLS link to DC to rays.  They are heading for a refresh of the network.    We thought in suggesting IWAN to them.  DMVPN is one of the 4 pillars of IWAN.  Can ask the customer to go to DMVPN instead of GetVPN.  Or should we do it any other way.  Against, please highlight.

  Thank you

  bijbalaktn,

  When you say 'updating of the network', which implies? We will always use MPLS as our transportation network?

  GETVPN or DMVPN is a solution in an MPLS network. Two benefits of GETVPN include a little less overhead of encapsulation (as it is just the ESP without GRE encapsulation) and the lack of accountability for an overlay routing protocol. That said, when comparing DMVPN and GETVPN, most of the people are much more comfortable with DMVPN which is an advantage in and of itself. In addition, if you are considering a solution IWAN DMVPN is a requirement by the CVD IWAN.

  In short, a solution should work and it's really up to you; personally, I'm a big fan of both. If you are uncomfortable with GETVPN and it worked for you, it may be better to stay with that. However, DMVPN is expected to function properly for you as well.

  HTH,

  Frank

• EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

  Hi friends,

  I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

  Please find below the exit of 881 router Cisco:

  YF2_Tbilisi_router #.
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
  * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
  * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
  * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
  * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
  * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
  * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
  * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:31:47.805 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
  * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
  * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
  * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
  * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
  * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
  * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
  * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
  * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:32:48.913 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

  There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

  The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

• DMVPN divide tunnling question, not able to pass http traffic to end spoke.

  Hi all

  I would appreciate it please help me solve after publication.
  I've used installation DMVPN (EIGRP routing protocol) for 20 site no problem at all, and everything works perfectly.
  Now, I have received a request that I would need to divide the legitimate business and internet traffic to end talks, so all internet traffic via a local ADSL connection, but I tried to solve it but router speaks constantly forward all traffic to the tunnel.
  Moreover, I found on internet DMVPN a limitation that split tunneling isn't possible.
  Please can you suggest me how can I send internet traffic (HTTP) via a DSL connection local
  Thank you and best regards,

  DMVPN is not based on politics, split tunneling concepts not apply.

  DMVPN relies on the road to understand what traffic should be sent by tunnel.

  In your case, you also have to distinguish between the company and the Internet HTTP traffic, better correct routing in place.

• DMVPN ISAKMP running in manual mode

  Our main goal is to improve safety on our WAN DMVPN using current equipment of Cisco.

  We use currently pré-partagées on our DMVPN IPsec keys are configured.

  We would like to switch to locally generated RAS keys, but our (spokes) Cisco routers have maps of crypto accelerator that prevents the use of RSA keys. We cannot move to Certs at this stage.

  We then tried to upgrade to IKEv2 IKEv1, but routers hub with the latest Cisco IOS code, do not support IKEv2.

  We thought we could use ISAKMP manual but need cryptographic cards.

  I can't locate any documentation that relates to manual DMVPN and IKSAMP.

  Someone at - it a URL or a configuration that supports manual DMVPN and ISAKMP in a Cisco environment?

  TKS

  Frank

  Frank,

  What exactly do you mean by "manaul" isakmp? ISAKMP is key management protocol - IE dynamic.

  If you mean the manual keys for IPsec as described here:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093c26.shtml

  They don't provide any security additional tho.

  IKE v2 has been intriduced in 15.0 I believe, I did not (yet) a deployment with DMVPN and IKEv2 (don't know if that is even supported at the moment).

  Please note that any router IOS can be a certification authority at the same time as a DMVPN hub or talk. If you want to deploy certificates.

  If it is added security you're looking for, a quick way, you can add for example add proxy authentication to access resources via the tunnel.

  Marcin