DMVPN NHRP issue
I have a phase 2 DMVPN network with approx 40 spoke routers and dual hub routers. 90% of this is working very well. However I have 3 or 4 spoke routers that are unable to communicate with each other directly (traffic goes via the hub router between these specific sites) however they are able to coomunicate directly with the other 35 or so routers. I think this is an NHRP issue as when I do show ip nhrp detail on one of these 4 routers, the other 3 routers display a (no socket) entry. I am able to clear this "sometimes" by clear ip nhrp. Whenever the (no scoket) entry is there spoke to spoke communication does not work. Any help would be greatly appreciated.
pradeepde,
Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
Thanks again
Similar Messages
-
Using SNMP to monitor DMVPN NHRP
Are there any SNMP OIDs for monitoring dynamic DMVPN NHRP entries? I'd like to poll my hub router for a list of active DMVPN spokes, and NHRP seems like the best thing to check, but I can't find any MIBs for NHRP outside of the Frame Relay context.
Thanks!
-MasonHi
I use these OID for my DMVPN query.
***HUB***
Active IKE sessions (count)
get .1.3.6.1.4.1.9.9.171.1.2.1.1.0
Active IPSec sessions (count)
get .1.3.6.1.4.1.9.9.171.1.3.1.1.0
IKE Peer's IP address (list)
walk .1.3.6.1.4.1.9.9.171.1.2.2.1.7.0
***SPOKE***
IKE History (ID)
walk .1.3.6.1.4.1.9.9.171.1.4.2.1.1.8
IKE History (reason based on ID)
walk .1.3.6.1.4.1.9.9.171.1.5.2.1.1.2
I don't know if it's exactly what you want. But if it's not, you can walk the cisco mib 1.3.6.1.4.1.9 in a text file and grab what you want. It's like this that I've found my OID
Enjoy :) -
dear all,
am trying to connect a dynamic vpn between hq with public static ip 82.114.179.120 and branch with dynamic ip 46.35.80.59.
state is varying between CONF_XAUTH and MM_NO_STATE.
please can you go through the debug files to help solving the issue. Tunnel interface is 10. show run is after the debug.
thanks for your support.
regards,Hi Mr. Freak again,
below is the latest config with MM_NO_STATE state.
HQ which is configured to accecpt remote vpn client using crypto map is configured for dynamic vpn with branch.
HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0
Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.
Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....
HQ:
aaa authentication login acs local
aaa authorization network acs local
aaa session-id common
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
redundancy
controller VDSL 0/1/0
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60
crypto isakmp client configuration group NAMA
key namanama
pool mypool
acl 101
save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
set isakmp-profile ccp-dmvpn-isakmprofile
crypto dynamic-map map 10
set transform-set test
reverse-route
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map
interface Tunnel10
bandwidth 1000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
shutdown
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface ATM0/1/0
description DSL Interface
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface Dialer0
no ip address
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname nama20004
ppp chap password 0 220004
ppp pap sent-username nama20004 password 0 220004
crypto map i-map
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)
Branch show run:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
crypto ipsec profile To-Taiz-Profile
set transform-set To-Taiz
interface Tunnel0
bandwidth 1000
ip address 172.16.0.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.0.1 82.114.179.105
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.105
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
interface Tunnel10
bandwidth 1000
ip address 172.16.10.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.10.1 82.114.179.120
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.10.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.120
tunnel key 22334455
tunnel protection ipsec profile To-Taiz-Profile
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet1
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet2
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet3
description ## CONNECT TO LAN ##
no ip address
interface Vlan1
description ## LAN INTERFACE ##
ip dhcp client hostname none
ip address 192.168.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname mohammadaa
ppp chap password 0 123456
ppp pap sent-username mohammadaa password 0 123456
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
ip sla auto discovery
dialer-list 1 protocol ip permit
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 MM_NO_STATE 2061 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted) -
my company uses dmvpn to connect with branch,but sometime when i “show ip nhrp bri " , i got some issus ,
the show information
3925VPN#sho ip nhrp bri
Target Via NBMA Mode Intfc Claimed
192.168.96.2/32 192.168.96.2 58.22.127.76 dynamic Tu100 < >
192.168.96.3/32 192.168.96.3 incomplete
192.168.96.4/32 192.168.96.4 incomplete
192.168.96.5/32 192.168.96.5 incomplete
192.168.96.6/32 192.168.96.6 incomplete
192.168.96.7/32 192.168.96.7 incomplete
192.168.96.8/32 192.168.96.8 incomplete
192.168.96.9/32 192.168.96.9 incomplete
192.168.96.10/32 192.168.96.10 incomplete
192.168.96.11/32 192.168.96.11 incomplete
192.168.96.12/32 192.168.96.12 incomplete
192.168.96.13/32 192.168.96.13 incomplete
192.168.96.14/32 192.168.96.14 incomplete
192.168.96.15/32 192.168.96.15 incomplete
192.168.96.16/32 192.168.96.16 incomplete
192.168.96.17/32 192.168.96.17 incomplete
192.168.96.18/32 192.168.96.18 incomplete
192.168.96.19/32 192.168.96.19 incomplete
192.168.96.20/32 192.168.96.20 incomplete
192.168.96.21/32 192.168.96.21 incomplete
192.168.96.22/32 192.168.96.22 incomplete
192.168.96.23/32 192.168.96.23 incomplete
192.168.96.24/32 192.168.96.24 incomplete
192.168.96.25/32 192.168.96.25 incomplete
192.168.96.27/32 192.168.96.27 incomplete
192.168.96.28/32 192.168.96.28 incomplete
192.168.96.29/32 192.168.96.29 incomplete
192.168.96.30/32 192.168.96.30 incomplete
192.168.96.31/32 192.168.96.31 incomplete
192.168.96.32/32 192.168.96.32 incomplete
192.168.96.33/32 192.168.96.33 incomplete
192.168.96.34/32 192.168.96.34 incomplete
192.168.96.35/32 192.168.96.35 incomplete
192.168.96.36/32 192.168.96.36 incomplete
192.168.96.37/32 192.168.96.37 incomplete
192.168.96.38/32 192.168.96.38 incomplete
192.168.96.39/32 192.168.96.39 incomplete
192.168.96.40/32 192.168.96.40 incomplete
192.168.96.41/32 192.168.96.41 incomplete
192.168.96.42/32 192.168.96.42 incomplete
192.168.96.43/32 192.168.96.43 incomplete
192.168.96.44/32 192.168.96.44 incomplete
192.168.96.45/32 192.168.96.45 incomplete
192.168.96.46/32 192.168.96.46 incomplete
192.168.96.47/32 192.168.96.47 incomplete
192.168.96.48/32 192.168.96.48 incomplete
192.168.96.49/32 192.168.96.49 incomplete
192.168.96.50/32 192.168.96.50 incomplete
192.168.96.51/32 192.168.96.51 incomplete
192.168.96.52/32 192.168.96.52 incomplete
192.168.96.53/32 192.168.96.53 incomplete
192.168.96.54/32 192.168.96.54 incomplete
192.168.96.55/32 192.168.96.55 incomplete
192.168.96.56/32 192.168.96.56 incomplete
192.168.96.57/32 192.168.96.57 incomplete
192.168.96.58/32 192.168.96.58 incomplete
192.168.96.59/32 192.168.96.59 incomplete
192.168.96.60/32 192.168.96.60 incomplete
192.168.96.61/32 192.168.96.61 incomplete
192.168.96.62/32 192.168.96.62 incomplete
192.168.96.63/32 192.168.96.63 incomplete
192.168.96.64/32 192.168.96.64 incomplete
192.168.96.65/32 192.168.96.65 incomplete
192.168.96.66/32 192.168.96.66 incomplete
192.168.96.67/32 192.168.96.67 incomplete
192.168.96.68/32 192.168.96.68 incomplete
192.168.96.69/32 192.168.96.69 incomplete
192.168.96.70/32 192.168.96.70 incomplete
192.168.96.71/32 192.168.96.71 incomplete
192.168.96.72/32 192.168.96.72 incomplete
192.168.96.73/32 192.168.96.73 incomplete
192.168.96.74/32 192.168.96.74 incomplete
192.168.96.75/32 192.168.96.75 incomplete
192.168.96.76/32 192.168.96.76 incomplete
192.168.96.77/32 192.168.96.77 incomplete
192.168.96.78/32 192.168.96.78 incomplete
192.168.96.79/32 192.168.96.79 incomplete
192.168.96.80/32 192.168.96.80 incomplete
192.168.96.81/32 192.168.96.81 incomplete
192.168.96.82/32 192.168.96.82 incomplete
192.168.96.83/32 192.168.96.83 incomplete
192.168.96.84/32 192.168.96.84 incomplete
192.168.96.85/32 192.168.96.85 incomplete
192.168.96.86/32 192.168.96.86 incomplete
192.168.96.87/32 192.168.96.87 incomplete
192.168.96.88/32 192.168.96.88 incomplete
192.168.96.89/32 192.168.96.89 incomplete
192.168.96.90/32 192.168.96.90 incomplete
192.168.96.91/32 192.168.96.91 incomplete
192.168.96.92/32 192.168.96.92 incomplete
192.168.96.93/32 192.168.96.93 incomplete
192.168.96.94/32 192.168.96.94 incomplete
192.168.96.95/32 192.168.96.95 incomplete
192.168.96.96/32 192.168.96.96 incomplete
192.168.96.97/32 192.168.96.97 incomplete
192.168.96.98/32 192.168.96.98 incomplete
192.168.96.99/32 192.168.96.99 incomplete
192.168.96.100/32 192.168.96.100 incomplete
192.168.96.101/32 192.168.96.101 incomplete
192.168.96.102/32 192.168.96.102 incomplete
192.168.96.103/32 192.168.96.103 incomplete
192.168.96.104/32 192.168.96.104 incomplete
192.168.96.105/32 192.168.96.105 incomplete
192.168.96.106/32 192.168.96.106 incomplete
192.168.96.107/32 192.168.96.107 incomplete
192.168.96.108/32 192.168.96.108 incomplete
192.168.96.109/32 192.168.96.109 incomplete
192.168.96.110/32 192.168.96.110 incomplete
192.168.96.111/32 192.168.96.111 incomplete
192.168.96.112/32 192.168.96.112 incomplete
192.168.96.113/32 192.168.96.113 incomplete
192.168.96.114/32 192.168.96.114 incomplete
192.168.96.115/32 192.168.96.115 incomplete
192.168.96.116/32 192.168.96.116 incomplete
192.168.96.117/32 192.168.96.117 incomplete
192.168.96.118/32 192.168.96.118 incomplete
192.168.96.119/32 192.168.96.119 incomplete
192.168.96.120/32 192.168.96.120 incomplete
192.168.96.121/32 192.168.96.121 incomplete
192.168.96.122/32 192.168.96.122 incomplete
192.168.96.123/32 192.168.96.123 incomplete
192.168.96.124/32 192.168.96.124 incomplete
192.168.96.125/32 192.168.96.125 incomplete
192.168.96.126/32 192.168.96.126 incomplete
192.168.96.127/32 192.168.96.127 incomplete
192.168.96.128/32 192.168.96.128 incomplete
192.168.96.129/32 192.168.96.129 incomplete
192.168.96.130/32 192.168.96.130 180.213.2.250 dynamic Tu100 < >
192.168.96.131/32 192.168.96.131 202.100.251.242 dynamic Tu100 < >
192.168.96.134/32 192.168.96.134 219.143.238.165 dynamic Tu100 < >
192.168.96.135/32 192.168.96.135 221.226.40.34 dynamic Tu100 < >
192.168.96.136/32 192.168.96.136 180.166.39.6 dynamic Tu100 < >
192.168.96.137/32 192.168.96.137 incomplete
192.168.96.138/32 192.168.96.138 incomplete
192.168.96.139/32 192.168.96.139 incomplete
192.168.96.140/32 192.168.96.140 incomplete
192.168.96.141/32 192.168.96.141 incomplete
192.168.96.142/32 192.168.96.142 incomplete
192.168.96.143/32 192.168.96.143 incomplete
192.168.96.144/32 192.168.96.144 incomplete
192.168.96.145/32 192.168.96.145 incomplete
192.168.96.146/32 192.168.96.146 incomplete
192.168.96.147/32 192.168.96.147 incomplete
192.168.96.148/32 192.168.96.148 incomplete
192.168.96.149/32 192.168.96.149 incomplete
192.168.96.150/32 192.168.96.150 incomplete
192.168.96.151/32 192.168.96.151 incomplete
192.168.96.152/32 192.168.96.152 incomplete
192.168.96.153/32 192.168.96.153 incomplete
192.168.96.154/32 192.168.96.154 incomplete
192.168.96.155/32 192.168.96.155 incomplete
192.168.96.156/32 192.168.96.156 incomplete
192.168.96.157/32 192.168.96.157 incomplete
192.168.96.158/32 192.168.96.158 incomplete
192.168.96.159/32 192.168.96.159 incomplete
192.168.96.160/32 192.168.96.160 incomplete
192.168.96.161/32 192.168.96.161 incomplete
192.168.96.162/32 192.168.96.162 incomplete
192.168.96.163/32 192.168.96.163 incomplete
192.168.96.164/32 192.168.96.164 incomplete
192.168.96.165/32 192.168.96.165 incomplete
192.168.96.166/32 192.168.96.166 incomplete
192.168.96.167/32 192.168.96.167 incomplete
192.168.96.168/32 192.168.96.168 incomplete
192.168.96.169/32 192.168.96.169 incomplete
192.168.96.170/32 192.168.96.170 incomplete
192.168.96.171/32 192.168.96.171 incomplete
192.168.96.172/32 192.168.96.172 incomplete
192.168.96.173/32 192.168.96.173 incomplete
192.168.96.174/32 192.168.96.174 incomplete
192.168.96.175/32 192.168.96.175 incomplete
192.168.96.176/32 192.168.96.176 incomplete
192.168.96.177/32 192.168.96.177 incomplete
192.168.96.178/32 192.168.96.178 incomplete
192.168.96.179/32 192.168.96.179 incomplete
192.168.96.180/32 192.168.96.180 incomplete
192.168.96.181/32 192.168.96.181 incomplete
192.168.96.182/32 192.168.96.182 incomplete
192.168.96.183/32 192.168.96.183 incomplete
192.168.96.184/32 192.168.96.184 incomplete
192.168.96.185/32 192.168.96.185 incomplete
192.168.96.186/32 192.168.96.186 incomplete
192.168.96.187/32 192.168.96.187 incomplete
192.168.96.188/32 192.168.96.188 incomplete
192.168.96.189/32 192.168.96.189 incomplete
192.168.96.190/32 192.168.96.190 incomplete
192.168.96.191/32 192.168.96.191 incomplete
192.168.96.192/32 192.168.96.192 incomplete
192.168.96.193/32 192.168.96.193 incomplete
192.168.96.194/32 192.168.96.194 incomplete
192.168.96.195/32 192.168.96.195 incomplete
192.168.96.196/32 192.168.96.196 incomplete
192.168.96.197/32 192.168.96.197 incomplete
192.168.96.198/32 192.168.96.198 incomplete
192.168.96.199/32 192.168.96.199 incomplete
192.168.96.200/32 192.168.96.200 incomplete
192.168.96.201/32 192.168.96.201 incomplete
192.168.96.202/32 192.168.96.202 incomplete
192.168.96.203/32 192.168.96.203 incomplete
192.168.96.204/32 192.168.96.204 incomplete
192.168.96.205/32 192.168.96.205 incomplete
192.168.96.206/32 192.168.96.206 incomplete
192.168.96.207/32 192.168.96.207 incomplete
192.168.96.208/32 192.168.96.208 incomplete
192.168.96.209/32 192.168.96.209 incomplete
192.168.96.210/32 192.168.96.210 incomplete
192.168.96.211/32 192.168.96.211 incomplete
192.168.96.212/32 192.168.96.212 incomplete
192.168.96.213/32 192.168.96.213 incomplete
192.168.96.214/32 192.168.96.214 incomplete
192.168.96.215/32 192.168.96.215 incomplete
192.168.96.216/32 192.168.96.216 incomplete
192.168.96.217/32 192.168.96.217 incomplete
192.168.96.218/32 192.168.96.218 incomplete
192.168.96.219/32 192.168.96.219 incomplete
192.168.96.220/32 192.168.96.220 incomplete
192.168.96.221/32 192.168.96.221 incomplete
192.168.96.222/32 192.168.96.222 incomplete
192.168.96.223/32 192.168.96.223 incomplete
192.168.96.224/32 192.168.96.224 incomplete
192.168.96.225/32 192.168.96.225 incomplete
192.168.96.226/32 192.168.96.226 incomplete
192.168.96.227/32 192.168.96.227 incomplete
192.168.96.228/32 192.168.96.228 incomplete
192.168.96.229/32 192.168.96.229 incomplete
192.168.96.231/32 192.168.96.231 incomplete
192.168.96.232/32 192.168.96.232 incomplete
192.168.96.233/32 192.168.96.233 incomplete
192.168.96.234/32 192.168.96.234 incomplete
192.168.96.235/32 192.168.96.235 incomplete
192.168.96.236/32 192.168.96.236 incomplete
192.168.96.237/32 192.168.96.237 incomplete
192.168.96.238/32 192.168.96.238 incomplete
192.168.96.239/32 192.168.96.239 incomplete
192.168.96.240/32 192.168.96.240 incomplete
192.168.96.241/32 192.168.96.241 incomplete
192.168.96.242/32 192.168.96.242 incomplete
192.168.96.243/32 192.168.96.243 incomplete
192.168.96.244/32 192.168.96.244 incomplete
192.168.96.245/32 192.168.96.245 incomplete
192.168.96.246/32 192.168.96.246 incomplete
192.168.96.247/32 192.168.96.247 incomplete
192.168.96.248/32 192.168.96.248 incomplete
192.168.96.249/32 192.168.96.249 incomplete
192.168.96.250/32 192.168.96.250 incomplete
192.168.96.251/32 192.168.96.251 incomplete
192.168.96.252/32 192.168.96.252 incomplete
192.168.96.253/32 192.168.96.253 incomplete
192.168.96.254/32 192.168.96.254 incomplete
usually, when i show the same information after a while ,the nhrp get the normal
3925VPN#sho ip nhrp bri
Target Via NBMA Mode Intfc Claimed
192.168.96.2/32 192.168.96.2 58.22.127.76 dynamic Tu100 < >
192.168.96.130/32 192.168.96.130 180.213.2.250 dynamic Tu100 < >
192.168.96.131/32 192.168.96.131 202.100.251.242 dynamic Tu100 < >
192.168.96.132/32 192.168.96.132 incomplete
192.168.96.133/32 192.168.96.133 incomplete
192.168.96.134/32 192.168.96.134 219.143.238.165 dynamic Tu100 < >
192.168.96.135/32 192.168.96.135 221.226.40.34 dynamic Tu100 < >
192.168.96.136/32 192.168.96.136 180.166.39.6 dynamic Tu100 < >
why this happened ,top players , thx~~~~~pradeepde,
Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
Thanks again -
my company uses dmvpn to connect with branch,but sometime when i “show ip nhrp bri " , i got some issus ,
the show information
3925VPN#sho ip nhrp bri
Target Via NBMA Mode Intfc Claimed
192.168.96.2/32 192.168.96.2 58.22.127.76 dynamic Tu100 < >
192.168.96.3/32 192.168.96.3 incomplete
192.168.96.4/32 192.168.96.4 incomplete
192.168.96.5/32 192.168.96.5 incomplete
192.168.96.6/32 192.168.96.6 incomplete
192.168.96.7/32 192.168.96.7 incomplete
192.168.96.8/32 192.168.96.8 incomplete
192.168.96.9/32 192.168.96.9 incomplete
192.168.96.10/32 192.168.96.10 incomplete
192.168.96.11/32 192.168.96.11 incomplete
192.168.96.12/32 192.168.96.12 incomplete
192.168.96.13/32 192.168.96.13 incomplete
192.168.96.14/32 192.168.96.14 incomplete
192.168.96.15/32 192.168.96.15 incomplete
192.168.96.16/32 192.168.96.16 incomplete
192.168.96.17/32 192.168.96.17 incomplete
192.168.96.18/32 192.168.96.18 incomplete
192.168.96.19/32 192.168.96.19 incomplete
192.168.96.20/32 192.168.96.20 incomplete
192.168.96.21/32 192.168.96.21 incomplete
192.168.96.22/32 192.168.96.22 incomplete
192.168.96.23/32 192.168.96.23 incomplete
192.168.96.24/32 192.168.96.24 incomplete
192.168.96.25/32 192.168.96.25 incomplete
192.168.96.27/32 192.168.96.27 incomplete
192.168.96.28/32 192.168.96.28 incomplete
192.168.96.29/32 192.168.96.29 incomplete
192.168.96.30/32 192.168.96.30 incomplete
192.168.96.31/32 192.168.96.31 incomplete
192.168.96.32/32 192.168.96.32 incomplete
192.168.96.33/32 192.168.96.33 incomplete
192.168.96.34/32 192.168.96.34 incomplete
192.168.96.35/32 192.168.96.35 incomplete
192.168.96.36/32 192.168.96.36 incomplete
192.168.96.37/32 192.168.96.37 incomplete
192.168.96.38/32 192.168.96.38 incomplete
192.168.96.39/32 192.168.96.39 incomplete
192.168.96.40/32 192.168.96.40 incomplete
192.168.96.41/32 192.168.96.41 incomplete
192.168.96.42/32 192.168.96.42 incomplete
192.168.96.43/32 192.168.96.43 incomplete
192.168.96.44/32 192.168.96.44 incomplete
192.168.96.45/32 192.168.96.45 incomplete
192.168.96.46/32 192.168.96.46 incomplete
192.168.96.47/32 192.168.96.47 incomplete
192.168.96.48/32 192.168.96.48 incomplete
192.168.96.49/32 192.168.96.49 incomplete
192.168.96.50/32 192.168.96.50 incomplete
192.168.96.51/32 192.168.96.51 incomplete
192.168.96.52/32 192.168.96.52 incomplete
192.168.96.53/32 192.168.96.53 incomplete
192.168.96.54/32 192.168.96.54 incomplete
192.168.96.55/32 192.168.96.55 incomplete
192.168.96.56/32 192.168.96.56 incomplete
192.168.96.57/32 192.168.96.57 incomplete
192.168.96.58/32 192.168.96.58 incomplete
192.168.96.59/32 192.168.96.59 incomplete
192.168.96.60/32 192.168.96.60 incomplete
192.168.96.61/32 192.168.96.61 incomplete
192.168.96.62/32 192.168.96.62 incomplete
192.168.96.63/32 192.168.96.63 incomplete
192.168.96.64/32 192.168.96.64 incomplete
192.168.96.65/32 192.168.96.65 incomplete
192.168.96.66/32 192.168.96.66 incomplete
192.168.96.67/32 192.168.96.67 incomplete
192.168.96.68/32 192.168.96.68 incomplete
192.168.96.69/32 192.168.96.69 incomplete
192.168.96.70/32 192.168.96.70 incomplete
192.168.96.71/32 192.168.96.71 incomplete
192.168.96.72/32 192.168.96.72 incomplete
192.168.96.73/32 192.168.96.73 incomplete
192.168.96.74/32 192.168.96.74 incomplete
192.168.96.75/32 192.168.96.75 incomplete
192.168.96.76/32 192.168.96.76 incomplete
192.168.96.77/32 192.168.96.77 incomplete
192.168.96.78/32 192.168.96.78 incomplete
192.168.96.79/32 192.168.96.79 incomplete
192.168.96.80/32 192.168.96.80 incomplete
192.168.96.81/32 192.168.96.81 incomplete
192.168.96.82/32 192.168.96.82 incomplete
192.168.96.83/32 192.168.96.83 incomplete
192.168.96.84/32 192.168.96.84 incomplete
192.168.96.85/32 192.168.96.85 incomplete
192.168.96.86/32 192.168.96.86 incomplete
192.168.96.87/32 192.168.96.87 incomplete
192.168.96.88/32 192.168.96.88 incomplete
192.168.96.89/32 192.168.96.89 incomplete
192.168.96.90/32 192.168.96.90 incomplete
192.168.96.91/32 192.168.96.91 incomplete
192.168.96.92/32 192.168.96.92 incomplete
192.168.96.93/32 192.168.96.93 incomplete
192.168.96.94/32 192.168.96.94 incomplete
192.168.96.95/32 192.168.96.95 incomplete
192.168.96.96/32 192.168.96.96 incomplete
192.168.96.97/32 192.168.96.97 incomplete
192.168.96.98/32 192.168.96.98 incomplete
192.168.96.99/32 192.168.96.99 incomplete
192.168.96.100/32 192.168.96.100 incomplete
192.168.96.101/32 192.168.96.101 incomplete
192.168.96.102/32 192.168.96.102 incomplete
192.168.96.103/32 192.168.96.103 incomplete
192.168.96.104/32 192.168.96.104 incomplete
192.168.96.105/32 192.168.96.105 incomplete
192.168.96.106/32 192.168.96.106 incomplete
192.168.96.107/32 192.168.96.107 incomplete
192.168.96.108/32 192.168.96.108 incomplete
192.168.96.109/32 192.168.96.109 incomplete
192.168.96.110/32 192.168.96.110 incomplete
192.168.96.111/32 192.168.96.111 incomplete
192.168.96.112/32 192.168.96.112 incomplete
192.168.96.113/32 192.168.96.113 incomplete
192.168.96.114/32 192.168.96.114 incomplete
192.168.96.115/32 192.168.96.115 incomplete
192.168.96.116/32 192.168.96.116 incomplete
192.168.96.117/32 192.168.96.117 incomplete
192.168.96.118/32 192.168.96.118 incomplete
192.168.96.119/32 192.168.96.119 incomplete
192.168.96.120/32 192.168.96.120 incomplete
192.168.96.121/32 192.168.96.121 incomplete
192.168.96.122/32 192.168.96.122 incomplete
192.168.96.123/32 192.168.96.123 incomplete
192.168.96.124/32 192.168.96.124 incomplete
192.168.96.125/32 192.168.96.125 incomplete
192.168.96.126/32 192.168.96.126 incomplete
192.168.96.127/32 192.168.96.127 incomplete
192.168.96.128/32 192.168.96.128 incomplete
192.168.96.129/32 192.168.96.129 incomplete
192.168.96.130/32 192.168.96.130 180.213.2.250 dynamic Tu100 < >
192.168.96.131/32 192.168.96.131 202.100.251.242 dynamic Tu100 < >
192.168.96.134/32 192.168.96.134 219.143.238.165 dynamic Tu100 < >
192.168.96.135/32 192.168.96.135 221.226.40.34 dynamic Tu100 < >
192.168.96.136/32 192.168.96.136 180.166.39.6 dynamic Tu100 < >
192.168.96.137/32 192.168.96.137 incomplete
192.168.96.138/32 192.168.96.138 incomplete
192.168.96.139/32 192.168.96.139 incomplete
192.168.96.140/32 192.168.96.140 incomplete
192.168.96.141/32 192.168.96.141 incomplete
192.168.96.142/32 192.168.96.142 incomplete
192.168.96.143/32 192.168.96.143 incomplete
192.168.96.144/32 192.168.96.144 incomplete
192.168.96.145/32 192.168.96.145 incomplete
192.168.96.146/32 192.168.96.146 incomplete
192.168.96.147/32 192.168.96.147 incomplete
192.168.96.148/32 192.168.96.148 incomplete
192.168.96.149/32 192.168.96.149 incomplete
192.168.96.150/32 192.168.96.150 incomplete
192.168.96.151/32 192.168.96.151 incomplete
192.168.96.152/32 192.168.96.152 incomplete
192.168.96.153/32 192.168.96.153 incomplete
192.168.96.154/32 192.168.96.154 incomplete
192.168.96.155/32 192.168.96.155 incomplete
192.168.96.156/32 192.168.96.156 incomplete
192.168.96.157/32 192.168.96.157 incomplete
192.168.96.158/32 192.168.96.158 incomplete
192.168.96.159/32 192.168.96.159 incomplete
192.168.96.160/32 192.168.96.160 incomplete
192.168.96.161/32 192.168.96.161 incomplete
192.168.96.162/32 192.168.96.162 incomplete
192.168.96.163/32 192.168.96.163 incomplete
192.168.96.164/32 192.168.96.164 incomplete
192.168.96.165/32 192.168.96.165 incomplete
192.168.96.166/32 192.168.96.166 incomplete
192.168.96.167/32 192.168.96.167 incomplete
192.168.96.168/32 192.168.96.168 incomplete
192.168.96.169/32 192.168.96.169 incomplete
192.168.96.170/32 192.168.96.170 incomplete
192.168.96.171/32 192.168.96.171 incomplete
192.168.96.172/32 192.168.96.172 incomplete
192.168.96.173/32 192.168.96.173 incomplete
192.168.96.174/32 192.168.96.174 incomplete
192.168.96.175/32 192.168.96.175 incomplete
192.168.96.176/32 192.168.96.176 incomplete
192.168.96.177/32 192.168.96.177 incomplete
192.168.96.178/32 192.168.96.178 incomplete
192.168.96.179/32 192.168.96.179 incomplete
192.168.96.180/32 192.168.96.180 incomplete
192.168.96.181/32 192.168.96.181 incomplete
192.168.96.182/32 192.168.96.182 incomplete
192.168.96.183/32 192.168.96.183 incomplete
192.168.96.184/32 192.168.96.184 incomplete
192.168.96.185/32 192.168.96.185 incomplete
192.168.96.186/32 192.168.96.186 incomplete
192.168.96.187/32 192.168.96.187 incomplete
192.168.96.188/32 192.168.96.188 incomplete
192.168.96.189/32 192.168.96.189 incomplete
192.168.96.190/32 192.168.96.190 incomplete
192.168.96.191/32 192.168.96.191 incomplete
192.168.96.192/32 192.168.96.192 incomplete
192.168.96.193/32 192.168.96.193 incomplete
192.168.96.194/32 192.168.96.194 incomplete
192.168.96.195/32 192.168.96.195 incomplete
192.168.96.196/32 192.168.96.196 incomplete
192.168.96.197/32 192.168.96.197 incomplete
192.168.96.198/32 192.168.96.198 incomplete
192.168.96.199/32 192.168.96.199 incomplete
192.168.96.200/32 192.168.96.200 incomplete
192.168.96.201/32 192.168.96.201 incomplete
192.168.96.202/32 192.168.96.202 incomplete
192.168.96.203/32 192.168.96.203 incomplete
192.168.96.204/32 192.168.96.204 incomplete
192.168.96.205/32 192.168.96.205 incomplete
192.168.96.206/32 192.168.96.206 incomplete
192.168.96.207/32 192.168.96.207 incomplete
192.168.96.208/32 192.168.96.208 incomplete
192.168.96.209/32 192.168.96.209 incomplete
192.168.96.210/32 192.168.96.210 incomplete
192.168.96.211/32 192.168.96.211 incomplete
192.168.96.212/32 192.168.96.212 incomplete
192.168.96.213/32 192.168.96.213 incomplete
192.168.96.214/32 192.168.96.214 incomplete
192.168.96.215/32 192.168.96.215 incomplete
192.168.96.216/32 192.168.96.216 incomplete
192.168.96.217/32 192.168.96.217 incomplete
192.168.96.218/32 192.168.96.218 incomplete
192.168.96.219/32 192.168.96.219 incomplete
192.168.96.220/32 192.168.96.220 incomplete
192.168.96.221/32 192.168.96.221 incomplete
192.168.96.222/32 192.168.96.222 incomplete
192.168.96.223/32 192.168.96.223 incomplete
192.168.96.224/32 192.168.96.224 incomplete
192.168.96.225/32 192.168.96.225 incomplete
192.168.96.226/32 192.168.96.226 incomplete
192.168.96.227/32 192.168.96.227 incomplete
192.168.96.228/32 192.168.96.228 incomplete
192.168.96.229/32 192.168.96.229 incomplete
192.168.96.231/32 192.168.96.231 incomplete
192.168.96.232/32 192.168.96.232 incomplete
192.168.96.233/32 192.168.96.233 incomplete
192.168.96.234/32 192.168.96.234 incomplete
192.168.96.235/32 192.168.96.235 incomplete
192.168.96.236/32 192.168.96.236 incomplete
192.168.96.237/32 192.168.96.237 incomplete
192.168.96.238/32 192.168.96.238 incomplete
192.168.96.239/32 192.168.96.239 incomplete
192.168.96.240/32 192.168.96.240 incomplete
192.168.96.241/32 192.168.96.241 incomplete
192.168.96.242/32 192.168.96.242 incomplete
192.168.96.243/32 192.168.96.243 incomplete
192.168.96.244/32 192.168.96.244 incomplete
192.168.96.245/32 192.168.96.245 incomplete
192.168.96.246/32 192.168.96.246 incomplete
192.168.96.247/32 192.168.96.247 incomplete
192.168.96.248/32 192.168.96.248 incomplete
192.168.96.249/32 192.168.96.249 incomplete
192.168.96.250/32 192.168.96.250 incomplete
192.168.96.251/32 192.168.96.251 incomplete
192.168.96.252/32 192.168.96.252 incomplete
192.168.96.253/32 192.168.96.253 incomplete
192.168.96.254/32 192.168.96.254 incomplete
usually, when i show the same information after a while ,the nhrp get the normal
3925VPN#sho ip nhrp bri
Target Via NBMA Mode Intfc Claimed
192.168.96.2/32 192.168.96.2 58.22.127.76 dynamic Tu100 < >
192.168.96.130/32 192.168.96.130 180.213.2.250 dynamic Tu100 < >
192.168.96.131/32 192.168.96.131 202.100.251.242 dynamic Tu100 < >
192.168.96.132/32 192.168.96.132 incomplete
192.168.96.133/32 192.168.96.133 incomplete
192.168.96.134/32 192.168.96.134 219.143.238.165 dynamic Tu100 < >
192.168.96.135/32 192.168.96.135 221.226.40.34 dynamic Tu100 < >
192.168.96.136/32 192.168.96.136 180.166.39.6 dynamic Tu100 < >
why this happened ,top players , thx~~~~~pradeepde,
Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
Thanks again -
DMVPN NHRP error indication logs
I am seeing a ton of these entries one of my spoke routers.. the hub router IP is 10.1.2.1 and all the dst IP's are not in use so I can't figure out why the spoke router is sending packets to 10.1.2.3, 10.1.2.44, 10.1.2.47 and so-o and those IP's are not in use in my environment.
Its dropping packets across the tunnel constantly and I can't figure out why. Does anyone have an idea of what is happening?
Oct 29 20:05:13.544 IST: %NHRP-3-PAKERROR: Received Error Indication from 10.1.2.1, code: protocol generic error(7), (trigger src: 10.1.2.192 (nbma:28.28.45.45) dst: 10.1.2.3), offset: 0, data: 00 01 08 00 00 00 00 00 00 FF 00 58 F3 2C 00 34
Oct 29 20:05:18.572 IST: %NHRP-3-PAKERROR: Received Error Indication from 10.1.2.1, code: protocol generic error(7), (trigger src: 10.1.2.192 (nbma:28.28.45.45) dst: 10.1.2.44), offset: 0, data: 00 01 08 00 00 00 00 00 00 FF 00 58 F2 F2 00 34
Oct 29 20:05:23.777 IST: %NHRP-3-PAKERROR: Received Error Indication from 10.1.2.1, code: protocol generic error(7), (trigger src: 10.1.2.192 (nbma:28.28.45.45) dst: 10.1.2.47), offset: 0, data: 00 01 08 00 00 00 00 00 00 FF 00 58 F2 ED 00 34
Oct 29 20:05:30.181 IST: %NHRP-3-PAKERROR: Received Error Indication from 10.1.2.1, code: protocol generic error(7), (trigger src: 10.1.2.192 (nbma:28.28.45.45) dst: 10.1.2.46), offset: 0, data: 00 01 08 00 00 00 00 00 00 FF 00 58 F2 EC 00 34
Oct 29 20:05:36.638 IST: %NHRP-3-PAKERROR: Received Error Indication from 10.1.2.1, code: protocol generic error(7), (trigger src: 10.1.2.192 (nbma:28.28.45.45) dst: 10.1.2.7), offset: 0, data: 00 01 08 00 00 00 00 00 00 FF 00 58 F3 26 00 34
Oct 29 20:05:42.842 IST: %NHRP-3-PAKERROR: Received Error Indication from 10.1.2.1, code: protocol generic error(7), (trigger src: 10.1.2.192 (nbma: 28.28.45.45) dst: 10.1.2.34),
This is the tunnel config on the spoke itself, granted I have another tunnel (different ISP) on this spoke going to another hub and I do not see these error messages on that tunnel.All,
Here's a quick blurb from a document I've been working on which helps to explain this specific error message:
An error code of 7 will be returned by the NHS when an error occurs when processing the packet which is not associated with any of the other NHRP error codes. According to RFC2332, triggers for the error code include invalid version numbers, invalid protocol types, and failed checksums. This error is commonly seen if the NHS receives a Resolution Request for an IP address which it does not have an entry for in its NHRP cache. For example, if a DMVPN spoke tries to send traffic to a spoke IP address which is not registered with the hub, the hub will return an NHRP Error Indication with the Protocol Generic Error specified.
To troubleshoot this condition, you should collect the following on both the hub and spoke routers:
show ip nhrp
debug nhrp
debug nhrp packet
Collecting the debugs will show you the exact NHRP packets which are being sent and received, which may give you an indicate as to what is prompted these errors to be return. Keep in mind that the debugs can be quite chatty and significant NHRP traffic may cause the debugs to impact the router performance.
HTH,
Frank -
Hi all,
I have 2 DMVPN HUBs and 20 spokes and on one of these have strange status of DMVPN - NHRP (what does it mean? i didn't find explanation what that status is bad or good, is it mean that spoke could'n get NBMA address of HUB through NHRP?). Could anyone explain what does it mean?
#show dmvpn
Interface: Tunnel4, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 7.#.#.3 10.5.5.1 UP 1d18h S
1 7.#.#.4 10.5.5.2 NHRP 1d18h S
Spoke's configuration.
interface Tunnel4
bandwidth 15000
ip address 10.5.5.20 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp map multicast dynamic
ip nhrp map multicast 7.#.#.3
ip nhrp map multicast 7.#.#.4
ip nhrp map 10.5.5.1 7.#.#.3
ip nhrp map 10.5.5.2 7.#.#.4
ip nhrp network-id 101
ip nhrp nhs 10.5.5.1
ip nhrp nhs 10.5.5.2
zone-member security outside
ip tcp adjust-mss 1380
delay 100
keepalive 10 3
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 111000
tunnel protection ipsec profile dmvpnMarcin,
thank you again for quick reply)
It very strange because i follow yours tshooting steps and what i got bellow:
1.Spoke can ping NBMA address of two HUBs
2. Every HUB can reach NBMA address of spoke
3. I switch on debuging on spoke and HUBs and I see request packet of NHRP to every HUBs
Debug on spoke:
000332: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.1
000333: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.1 to NBMA 7.#.#.3
000334: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded. Tunnel IP addr 7.#.#.3
000335: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000336: May 23 10:47:53.408 MSK: src: 10.5.5.20, dst: 10.5.5.1
000337: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4
000338: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.1
000339: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2
000340: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
000341: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded. Tunnel IP addr 7.#.#.4
000342: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000343: May 23 10:47:53.408 MSK: src: 10.5.5.20, dst: 10.5.5.2
000344: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4
000345: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.2
000346: May 23 10:47:53.412 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4, changed state to up
000347: May 23 10:47:53.412 MSK: NHRP: Receive Registration Reply via Tunnel4 vrf 0, packet size: 112
000348: May 23 10:47:53.412 MSK: NHRP: netid_in = 0, to_us = 1
000349: May 23 10:47:53.412 MSK: NHRP: NHS 10.5.5.1 Tunnel4 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E'
000350: May 23 10:47:53.412 MSK: NHRP: NHS-UP: 10.5.5.1
000351: May 23 10:47:54.920 MSK: NHRP: Setting retrans delay to 4 for nhs dst 10.5.5.2
000352: May 23 10:47:54.920 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2
000353: May 23 10:47:54.920 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
000354: May 23 10:47:54.920 MSK: NHRP: Encapsulation succeeded. Tunnel IP addr 7.#.#.4
000355: May 23 10:47:54.920 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000356: May 23 10:47:54.920 MSK: src: 10.5.5.20, dst: 10.5.5.2
and i don't see any logs related of this spoke on second HUB!
So... NHRP packet loss on the way to second HUB,but i can't guess about reason why is happend -
DMVPN phase 3 - scalability - nhrp generates high cpu load
Hey all.
Been running into a scalability issues with DMVPN. Mainly caused (as I see it) by NHRP.
Scenario:
IOS-SLB-based DMVPN solution in a dual-cloud setup. Practically it's 2 separate solutions with spokes having 2 tunnels (one in each cloud). See attachment sketch. We're running a phase 3 hierarchy design (trying at least)
Spoke routers:
- 2500 routers in a mixture of c871, c881, c2800, c2900. Need to scale to at least twice that.
- Spoke-to-spoke is heavily used
Farm routers:
- Cisco 7201 with VAM2+. Around 1 router per 350 spokes (+1 for secondary tunnel)
Superhub:
- ASR 1004 (one for primary and one for secondary dmvpn-cloud).
We're not running any IPSEC between the farms and the superhubs. Just regular unencrypted DMVPN (mGRE).
Problem:
- NHRP is causing high CPU load on the ASRs. With around 2000 spokes up and running on DMVPN the CPU is overloaded with NHRP traffic. We're talking like 60-70% load caused by the NHRP process alone!
We're using 'ip nhrp interest' on all the spokes - and farms. We're in need of the spoke-to-spoke functionality so we allowing LAN-segments of our customers but denying everything else.
Solutions?
1. Turning off all NHRP resolutions? Basically remove any directly spoke-spoke communications (denying everything on the interest list). We can't go there since a lot of our customers are in dire need for directly spoke-spoke connectivity (due to latency). Haven't tested that it will actually give the much needed scalable solution either (we're facing around 5000 spokes in the next 2-3 years).
2. Chopping the DMVPN solution up in lesser VPN-blocks. This will administratively be a nightmare.
3. ?
Will really appreciate if anyone have a input here. It's really hard finding anything about a LARGE scale phase3 design on the web. Everything I find seems to mix stuff from small-scale phase 2 and 3 - making it rather messy cooking reciept for a small breakfast while I need a 7 course perfect dinner
When will Cisco come with an updated design guide btw?
Thanks in advance!Thank you for your quick reply.
Our ASRs (rp1) are acting as BGP RR while the farm routers are setup as RR clients.
We haven't tried connecting spokes directly to the ASRs but we have seen the same symptoms on the 7613s (sup720) and the 7200-platform.
Earlier the 7600 had the same role the ASRs have today. We were expecting that the ASRs should be doing "a better job" in terms of CPU load but we were wrong (NHRP generated around 10% more cpu load on the ASRs in comparison).
We concluded that the ASRs have a less optimized OS (coding) being rather new and all. Further we're not all happy about the stability of the platform (clear ip nhrp or taking a shutdown on the tunnel in the current situation will crash the router. 15.1(2)S1 and 15.1(3)S0a adv ip services). Haven't made a TAC case of it yet but will (has to be a bug as I see it since the 7200/7600 is handling this just fine).
Due to what I mentioned above I don't dare to debug the problem in production time and have to wait until the next scheduled maintenance window for some decent debug output (24. Oct).
We've contacted Cisco AS for assistance since it's hard to find local consultants (Norway) with enough knowledge of such scenario.
I just hope it's a config-issue and not a design issue, but we're willing to to whatever for this to scale to the thousands. -
Hi All,
I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
The setup is in a lab environment so i can post up as much info as required but here are the important bits:
I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
A few snippets from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
and heres the config on the first spoke router:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
the following are outputs from the spoke router:
RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10 Source addr: 11.11.11.1, Dest addr: MGRE Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS: 172.17.100.1 EType:Spoke, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- ----------------- 1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98] Crypto Session Status: DOWN fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1 Active SAs: 0, origin: crypto map Outbound SPI : 0x 0, transform : Socket State: ClosedPending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire Type: static, Flags: used NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sainterface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) current_peer 1.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 46, #recv errors 0 local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:
All of these commands show up as blank when i run them on the hub router.
Any help appreciated.
ThanksThanks for the help
I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
isakmp policy solved my issue, fixed the MTU as well.
What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
Thanks -
Hello,
I am getting packet loss if I ping of tunnel interface IP address & when I remove the IPSEC profile, I don't get packet loss. Tunnel is configured as DMVPN SPOKE.
==============
sh run int tu2
Building configuration...
Current configuration : 561 bytes
interface Tunnel2
bandwidth 6000
ip address 11.242.81.94 255.255.240.0 >>>>>>>>>>>>>>>>>> get packet loss if I ping this IP
no ip redirects
ip mtu 1400
ip flow egress
ip nhrp authentication silver
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map 11.242.X.X X.X.X.X
ip nhrp map multicast X.X.X.X
ip nhrp map 11.242.X.X X.X.X.X
ip nhrp network-id 60436
ip nhrp holdtime 600
ip nhrp nhs 11.242.X.X
ip nhrp nhs 11.242.X.X
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN shared >>>>>>>>>>>>>>>>>>>>>>> IPSEC Profile
endHello,
See below similar thread.
https://supportforums.cisco.com/discussion/11192611/packet-loss-dmvpn-tunnel-not-across-wan
HTH.
Please rate helpful post. -
Hi,
I may be a million miles off but i'm trying to route all traffic at our spoke sites through to our hub site and subsequently through a firewall etc. so I obviously need the gateway to change when a dmvpn is established. I am considering using policy based routing to pickup internal traffic and change the next hop to the hub site. However how will this affect the spoke to spoke routing of the dmvpn? will nhrp take precedence over the PBR to ensure that spoke to spoke communication happens directly?
thanksJust to follow up, here's a sample configuration of what I'm talking about for the spoke.
ip vrf VRF_LAN
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key {pre-shared-key} address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set IPSec_TS_AES256SHA1ESP_T esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile IPSec_Profile_VPN
set transform-set IPSec_TS_AES256SHA1ESP_T
interface Tunnel0
ip vrf forwarding VRF_LAN
ip address 172.31.255.10 255.255.255.0
ip nhrp authentication 31240
ip nhrp map 172.31.255.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 31240
ip nhrp holdtime 600
ip nhrp nhs 172.31.255.1
ip nhrp shortcut
ip nhrp redirect
cdp enable
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSec_Profile_VPN
interface FastEthernet0/0
ip vrf forwarding VRF_LAN
ip address 172.31.128.1 255.255.255.0
interface FastEthernet0/1
ip address dhcp
router eigrp 1
passive-interface default
no passive-interface Tunnel0
no auto-summary
address-family ipv4 vrf VRF_LAN
network 172.31.128.1.0 0.0.0.0.0
network 172.31.255.10.0 0.0.0.0.0
no auto-summary
autonomous-system 1
eigrp router-id 172.31.255.10
eigrp stub connected summary
exit-address-family
As you can see, this works almost identically to a standard DMVPN setup, except that the tunnel interface, the LAN (FastEthernet0/0) interface and EIGRP processes all run in the VRF_LAN virtual routing and forwarding instance.
The primary routing table gets its default route from DHCP in this case, though it could just as easily be static. The VRF, on the other hand, gets a default route from the DMVPN hub and shortcut switches for spoke-to-spoke communications. At no point does the default route in the global routing table factor into the DMVPN network's routing table or vice versa, eliminating the need for PBR entirely. -
DMVPN split tunnling issue, not able to by pass http traffic at spoke end.
Dear all,
I would appreciate please help me out to resolve following issue.
I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but spoke router is continuously forwarding all traffic to tunnel.
Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
thanks and regards,I agree with Marcin.
At the spoke you would need to add a static default route for the internet traffic. You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric. Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down. But if they are both located off the same interface then there is no point in keeping the injected default route.
Please remember to rate and select a correct answer -
%DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7)
I had pre-allocated tunnel ip's to remote spokes , some of them were implemented and put into production. Some of them got the config but the tunnel interfaces were left at shut.
Its because of this reason that the DMVPN HUB keeps getting nhrp request from one of the inactive spokes. Following is the sh ip nhrp extract :-
10.x.x22/32
Tunnel0 created 00:02:58, expire 00:00:06
Type: incomplete, Flags: negative
Cache hits: 7
I just cant seem to find the spoke WAN ip to identify it. I tried debugs but just cant get it.
From HUB:-
Nov 30 10:36:31: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.x.x.1 NBMA: 20.x.x.x)
Nov 30 10:36:32: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 86
Nov 30 10:36:32: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Nov 30 10:36:32: shtl: 4(NSAP), sstl: 0(NSAP)
Nov 30 10:36:32: pktsz: 86 extoff: 52
Nov 30 10:36:32: (M) flags: "router auth src-stable nat ", reqid: 46113
Nov 30 10:36:32: src NBMA: 20.x.x.x.
Nov 30 10:36:32: src protocol: 10.x.x.1, dst protocol: 10.x.x.22
Nov 30 10:36:32: (C-1) code: no error(0)
Nov 30 10:36:32: prefix: 32, mtu: 17912, hd_time: 360
Nov 30 10:36:32: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 Nov 30 10:36:31: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.x.x.1 NBMA: 20.x.x.x)
So my question is , How do i find out the spoke wan ip , so i can do something about it. For now, its just filling up my logs on HUb router...not good ;-))Hello Marcin,
If tunnel interface is shut no NHRP activity should be going, on top, in debugs you point the hub is sending resolution request, not receiving it.
Agree, I expected the same, but unfortunately this is not the case. Spoke does sent out NHRP requests even with Tunnel status as admin shut.
If your hub does not have NHS, it will not know where to send it's resolution request.
I am still on DMVPN Phase 1, so Spokes dont talk to other spokes yet.
Are you positive that there is nothing that is sending packets towards 10.x.x.22 on hub side (sniffer trace of classyfing ACL on "LAN")?
Other then a spoke, it cant be anthing, as the subnet is dedicted for tunnel interface's.
If you know it's not a misconfig and there is no traffic on hub side initiated to 10.x.x.22, try removing and adding full tunnel configuration. i.e. we want to make sure that crypto socket gets closed and restrated.
I can do this over weekend, but i am sure this is not going to fix the problem, reason being, that the HUB was setup before anything else and then we started migrating spokes from primary legacy gre tunnels to dmvpn tunnel as primary and legacy as a backup.
Guess, I am still looking for the answer...Is there a WAN acl that i can use to filter the successfully migrated spokes and log the deny message as in to know what remote wan ip carries along the tunnel ip of .22 or any other debug ?? -
DMVPN Phase 3 ip nhrp short / ip nhrp redirect missing
Dear All, we are trying to setup DMVPN Phase 3 and need to enter the commands ip nhrp shortcut and ip nhrp redirect which is not possible on Cisco 1841 routers - IOS version advipservicesk9-mz.124-25f.bin
On a cisco 1812 c181x-advipservicesk9-mz.124-24.T4.bin we can enter the commands.
Out aommands 1841:
Router 1(config-if)#ip nhrp ?
authentication Authentication string
holdtime Advertised holdtime
interest Specify an access list
map Map dest IP addresses to NBMA addresses
max-send Rate limit NHRP traffic
network-id NBMA network identifier
nhs Specify a next hop server
record Allow NHRP record option
registration Settings for registration packets.
responder Responder interface
server-only Disable NHRP requests
trigger-svc Create NHRP cut-through based on traffic load
use Specify usage count for sending requests
Output commands 1812:
Router 2(config-if)#ip nhrp ?
authentication Authentication string
cache NHRP Cache related commands.
group NHRP group name
holdtime Advertised holdtime
interest Specify an access list
map Map dest IP addresses to NBMA addresses
max-send Rate limit NHRP traffic
network-id NBMA network identifier
nhs Specify a next hop server
record Allow NHRP record option
redirect Enable NHRP redirect traffic indication
registration Settings for registration packets.
responder Responder interface
server-only Disable NHRP requests
shortcut Enable shortcut switching
trigger-svc Create NHRP cut-through based on traffic load
use Specify usage count for sending requests
This is the information I found on the Cisco web page: "In Cisco IOS Software Release 12.4(6)T, DMVPN Phase 3 was introduced". Now I am wondering which software I shall use for the Cisco 1841 as we already use a higher version: advipservicesk9-mz.124-25f.bin
I appreciate your help
Thank you
NikolaNikola,
Let's start wit this:
http://en.wikipedia.org/wiki/Cisco_IOS#Versioning
Than what you need to understand is that T train is where we put all the new fearures. Mainline is one we rebuild with usuall no big changes, i.e. main focus is stability with less features.
That being said 12.4(25) might have a higher number than 12.4(24)T, but it will not contains some features.
Marcin -
Hello All
I have a strange occurence where a Router 2800 series had to be rebooted as the DMVPN session through it went down and the Router had to be rebooted in order to restore the VPN session. Initially, I thought this was due to an IOS issue.
Then another Router this time 2900 series router had the same problem and again needed a reboot to restore the DMVPN tunnel.
Anybody has faced this before and can provide some insight / advice on this.
Please let me know if you need any information on this
Many Thanks in advance.Hi,
Were you able to capture the syslogs?
Was this on a spoke or hub router?
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
In an effort to restore my iPad with iTunes on a computer that is not synced to my iPad, it tells me that I must have the passcode, which I do not remember. What do I do now?
-
any help with this would be appreciated
-
My ipad 2 suffered a hard drop recently. It works well except the screen. Only appears the basic colours. Are there any solution or trick to recover the full colours? I need to change the screen? Thanks Fernando
-
Hi, everyone, a question about sapscript?
Hi, everyone, My sapscript have one page and next page is the same as the first page, the page have two window, a var window and a main window, in the main window there is a command at the top that is "/: BOX FRAME 10 TW". and when I preview the form
-
Enable hide/show only for selected rows for table in table
I have an advanced table with a detail table connected by a view link. This adds a "Details" column of Hide/Show links on the left of the table to expand the inner-table for each row of the outer-table. The goal is to have the hide/show in the outer