RE: DMVPN Issues

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Thu, 25 Jun 2009 12:20:07 -0400

First I would migrate to DMVPN phase 3;

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

quite easy to do;

second you NEED

crypto isakmp invalid-spi-recovery on all devices

Please do these then test, then get back to us

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Olaniyi A. Sonubi
Sent: Thursday, June 25, 2009 12:12 PM
To: Cisco certification
Subject: DMVPN Issues

I have issues with DMVPN. I configured a HUB (7604 router) and about eighty
spokes connecting to the HUB. Routing protocol is EIGRP. Most neighbour
relationships are ok but some spokes don't have the HUB as neighbour while the
HUB has them as neighbours. The output of sh ip ei nei on hub is

40 10.204.4.65 Tu2 10 00:00:13 1 5000 5 0

23 10.204.4.23 Tu2 13 00:00:15 1 5000 5 0

28 10.204.4.76 Tu2 13 00:00:20 1 5000 9 0

6 10.204.4.61 Tu2 11 00:00:49 1 5000 19 0

19 10.204.4.77 Tu2 13 00:01:06 1 5000 24 0

7 10.204.4.13 Tu2 13 00:01:10 1 5000 25 0

18 10.204.4.71 Tu2 12 00:01:16 1 5000 38 0

64 172.28.60.150 Tu25360 10 00:02:20 1 5000 1
14031

80 10.204.4.14 Tu2 11 00:16:08 40 360 0
317751

3 10.204.4.9 Tu2 10 00:19:39 14 5000 1
33697

14 10.204.1.4 Tu0 14 00:24:42 676 5000 0 8055

74 10.204.4.4 Tu2 11 00:31:56 301 5000 1
1524854

45 10.204.1.11 Tu0 14 00:32:51 635 5000 0
102365

67 10.204.2.4 Tu1 14 00:33:25 657 3942 0
510433

38 10.204.4.72 Tu2 14 00:37:35 26 5000 1
354373

83 10.204.1.15 Tu0 12 00:40:35 693 5000 0 57

70 10.204.4.35 Tu2 12 00:53:07 40 5000 1
82299

The HUB tunnel config is

interface Tunnel2

 description HQ DMVPN tunnel to 21ctl Branches

 bandwidth 2000000

 ip address 10.204.4.1 255.255.254.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication 21CTL

 ip nhrp map multicast dynamic

 ip nhrp network-id 12

 ip nhrp holdtime 600

 ip nhrp cache non-authoritative

 no ip split-horizon eigrp 10

 ip summary-address eigrp 10 172.31.0.0 255.255.0.0 5

 ip summary-address eigrp 10 172.29.0.0 255.255.0.0 5

 ip summary-address eigrp 10 172.28.0.0 255.255.0.0 5

 ip summary-address eigrp 10 172.22.0.0 255.255.0.0 5

 ip tcp adjust-mss 1360

 tunnel source 172.29.253.1

 tunnel mode gre multipoint

 tunnel protection ipsec profile scpc

 crypto engine slot 3/0

end

The spoke tunnel config is

 interface Tunnel2

 description DMVPN tunnel for Ikeja to HQ

 bandwidth 2000

 ip address 10.204.4.4 255.255.254.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication 21CTL

 ip nhrp map multicast 172.29.253.1

 ip nhrp map 10.204.4.1 172.29.253.1

 ip nhrp network-id 12

 ip nhrp holdtime 300

 ip nhrp nhs 10.204.4.1

 ip tcp adjust-mss 1360

 tunnel source 172.29.253.4

 tunnel destination 172.29.253.1

 tunnel protection ipsec profile scpc

end

My crypto config on all routers is

crypto isakmp policy 11

 authentication pre-share

 group 2

crypto isakmp key scpckey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac

 mode transport

crypto ipsec profile scpc

 set transform-set scpcvpnset

The spokes that are up and running have similar configs to those not working.
I seem to got the problem fixed at a point. I completely removed the tunnel on
all spokes not forming neighbour, waited for the holdtime to expire and then
recreated the tunnels on the spokes. Everything worked fine for sometime but I
noticed that they loose the relationship after several hours.
These are outputs of show crypto isakmp sa for three sites not forming
sh cry isa sa
     dst src state conn-id slot
status
172.29.253.1 172.29.253.135 QM_IDLE 2 0 ACTIVE

     dst src state conn-id slot
status
172.29.253.214 172.29.253.1 QM_IDLE 4059 0 ACTIVE

     dst src state conn-id slot
status
172.29.253.1 172.29.253.182 QM_IDLE 4048 0 ACTIVE

These are outputs of show ip nhrp for the same three sites
sh ip nh

10.204.4.1/32<http://10.204.4.1/32> via 10.204.4.1, Tunnel2 created 00:10:21,
never expire
  Type: static, Flags:
  NBMA address: 172.29.253.1

10.204.4.1/32<http://10.204.4.1/32> via 10.204.4.1, Tunnel2 created 2d06h,
never expire
  Type: static, Flags: nat
  NBMA address: 172.29.253.1

10.204.4.1/32<http://10.204.4.1/32> via 10.204.4.1, Tunnel2 created 2d07h,
never expire
  Type: static, Flags: nat
  NBMA address: 172.29.253.1

I can ping the tunnel address of the HUB from all the spokes.

What do you think will bring a permanent solution to this problem? Your
contributions will be highly appreciated.

Regards,

Olaniyi Sonubi,

CCIE#23833(R&S)

________________________________
DISCLAIMER:
Any views of this e-mail are those of the sender except where the sender
specifically states them to be that of Zenith or its subsidiaries.
The message and its attachments are for designated recipient(s) only and may
contain privileged, proprietary and private information. If you have received
it in error, kindly delete it and notify the sender immediately.
Zenith accepts no liability for any loss or damage resulting directly and
indirectly from the transmission of this e-mail message.

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 25 2009 - 12:20:07 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART