06-18-2018 08:56 PM - edited 03-05-2019 10:37 AM
Hi all
I have created a DMVPN topology .
Hub - T3
Spoke 1 - T1
Spoke 2 -T2
Able to create DMVPN tunnel between hub(T3) and spoke (T2) but not able to create tunnel between hub(T3) and Spoke(T1)
On T1 spoke DMVPN stuck in state IKE .
Configurations attached
Output on T1
Router#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel400, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 193.239.156.6 10.248.2.2 IKE 00:06:10 S
Output on T2
Router#show dmvp
Router#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel400, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 193.239.156.6 10.248.2.2 IPSEC 00:05:50 S
Output on T3
Router#Show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel400, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 90.91.174.251 10.248.2.7 UP 00:08:31 D
Solved! Go to Solution.
06-19-2018 01:21 AM
Hello
Just to confirm you DONT have any connection over the tunnel even without any IPSEC being applied?
If so then you need to troubleshoot the tunnel first.
1) create the GRE tunnel without any NHRP or ipsec - Does it work if so apply NHRP, if not check you routing between source and destination of you tunnel
2) Once the tunnel is up then apply you phase 3 NHRP , make sure you obtain connection test the spoke to spoke tunneling , NHRP mappings etc..
3) Lastly apply your IPSEC and test again , if this doesn't work check you ipsec configuration
res
Paul
06-19-2018 01:33 AM
Hello,
on the T1 router, remove:
ip route 0.0.0.0 0.0.0.0 10.248.2.2 track 101
The default route points to the tunnel on the hub, which doesn't look right...
06-21-2018 08:20 PM
Thanks Paul and George ...issue is rectified .
I was redistributing connected routes in EIGRP assuming tunnel interface also redistributed .
So by giving separate network command in EIGRP for tunnel interface my DMVPN tunnel came up and all spoke tunnels were learned dynamically . So I found this issue by creating tunnel and roting step by step .
Thanks all for your support .
06-18-2018 09:04 PM
06-18-2018 09:06 PM
06-19-2018 12:51 AM
Hello,
on the spoke in IKE state, turn on debugging:
debug crypto ipsec
debug crypto isakmp
then shut/no shut the tunnel and post the output of the debug...
06-19-2018 01:09 AM
Hello
Does the DWVPN tunnel come up and do you have connection over the tunnel without any ipsec being applied?
res
Paul
06-19-2018 01:14 AM
Hi , I am facing same issue by disabling IPSEC tunnel also . But at that moment the spoke router goes into "NHRP state" .
06-19-2018 01:21 AM
Hello
Just to confirm you DONT have any connection over the tunnel even without any IPSEC being applied?
If so then you need to troubleshoot the tunnel first.
1) create the GRE tunnel without any NHRP or ipsec - Does it work if so apply NHRP, if not check you routing between source and destination of you tunnel
2) Once the tunnel is up then apply you phase 3 NHRP , make sure you obtain connection test the spoke to spoke tunneling , NHRP mappings etc..
3) Lastly apply your IPSEC and test again , if this doesn't work check you ipsec configuration
res
Paul
06-19-2018 01:25 AM
06-19-2018 01:33 AM - edited 06-19-2018 01:34 AM
Hello
One more thing I cannot see maybe i have missed it, But you using EIGRP as you dynamic routing, make sure on the hub you have split horizon disabled so it allowd re-advertisement of each spokes routes.
Hub
int tun400
no ip split-horizon eigrp 100
res
Paul
06-21-2018 08:20 PM
Thanks Paul and George ...issue is rectified .
I was redistributing connected routes in EIGRP assuming tunnel interface also redistributed .
So by giving separate network command in EIGRP for tunnel interface my DMVPN tunnel came up and all spoke tunnels were learned dynamically . So I found this issue by creating tunnel and roting step by step .
Thanks all for your support .
06-19-2018 01:22 AM
Both spoke routers are having same configuration , still DMVPN is up only with T2 Spoke router .
06-19-2018 01:33 AM
Hello,
on the T1 router, remove:
ip route 0.0.0.0 0.0.0.0 10.248.2.2 track 101
The default route points to the tunnel on the hub, which doesn't look right...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide