DMVPN - Spoke to Spoke tunnel

Similar Messages

• DMVPN: Too many spoke to spoke tunnels created!

  Hi all,
  We have a customer wiht a DMVPN network phase 2. There are around 40 spokes. What I can see on all the spokes is between 10 and 15 IPsec spoke to spoke tunnels which is really strange as most of the spoke locations should only have between 1 to 4 spoke to spoke tunnels maximum.
  My question is what could cause the spoke routers to create an IPsec spoke to spoke tunnel? Some weired applications?
  IOS version: 12.4(15)T11 Platform: Cisco 1812.
  Best regards,
  Laurent

  Hi,
  But there may be an apllication that trigger this Spoke to spoke tunnels?
  I cannot in the inspect sessions the IP of the destination spokes. So it looks it is a quick trigger, then inspect session time ud og IPsec SAs stayded for the defaut life time.
  Regards,
  Laurent

• DMVPN - Spoke to spoke direct tunnel

  For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
  Hub:
  interface Tunnel0
   ip address 172.16.1.1 255.255.255.0
   no ip redirects
   no ip next-hop-self eigrp 10
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   no ip split-horizon
   ip summary-address eigrp 10 10.1.0.0 255.255.0.0
   tunnel source 1.1.1.1
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end
  spoke 1: 
  interface Tunnel0
   ip address 172.16.1.7 255.255.255.0
   no ip redirects
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp map 172.16.1.1 1.1.1
   ip nhrp map multicast 1.1.1.1
   ip nhrp network-id 1
   ip nhrp nhs 172.16.1.1
   ip summary-address eigrp 10 10.7.0.0 255.255.0.0
   tunnel source GigabitEthernet0/0
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end
  Spoke 2:
  interface Tunnel0
   ip address 172.16.1.6 255.255.255.0
   no ip redirects
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp map 172.16.1.1 1.1.1.1
   ip nhrp map multicast 1.1.1.1
   ip nhrp network-id 1
   ip nhrp nhs 172.16.1.1
   ip summary-address eigrp 10 10.6.0.0 255.255.0.0
   tunnel source GigabitEthernet0/0
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end

  For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
  Hub:
  interface Tunnel0
   ip address 172.16.1.1 255.255.255.0
   no ip redirects
   no ip next-hop-self eigrp 10
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   no ip split-horizon
   ip summary-address eigrp 10 10.1.0.0 255.255.0.0
   tunnel source 1.1.1.1
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end
  spoke 1: 
  interface Tunnel0
   ip address 172.16.1.7 255.255.255.0
   no ip redirects
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp map 172.16.1.1 1.1.1
   ip nhrp map multicast 1.1.1.1
   ip nhrp network-id 1
   ip nhrp nhs 172.16.1.1
   ip summary-address eigrp 10 10.7.0.0 255.255.0.0
   tunnel source GigabitEthernet0/0
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end
  Spoke 2:
  interface Tunnel0
   ip address 172.16.1.6 255.255.255.0
   no ip redirects
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp map 172.16.1.1 1.1.1.1
   ip nhrp map multicast 1.1.1.1
   ip nhrp network-id 1
   ip nhrp nhs 172.16.1.1
   ip summary-address eigrp 10 10.6.0.0 255.255.0.0
   tunnel source GigabitEthernet0/0
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• DMVPN spoke to spoke not established

  In the topology attached I am advertising tunnel ip and loopbacks for the specific hub and spokes in their eigrp , there is connectivity between all but still Eigrp routes are not coming and its flapping.ISAKMP is on , tunnel is also up.I am also attaching hub and spoke configs and topology  for your reference.
  This is the error message:
  7:09.791: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
  *Mar  1 00:57:11.351: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.12.1, prot=50, spi=0x77DF7896(2011134102), srcaddr        in use settings ={Transport, }
          conn id: 29, flow_id: SW:29, crypto map: Tunnel0-head-0
          sa timing: remaining key lifetime (k/sec): (4405256/3495)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
  *Mar  1 00:57:21.895: YPTO-6-PRINTABORT: deletion caused early termination of show output for identity
  R1#
  *Mar  1 00:09:49.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
  *Mar  1 00:09:50.051: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency
  *Mar  1 00:11:00.311: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
  *Mar  1 00:11:00.775: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is up: new adjacency
  *Mar  1 00:11:09.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
  *Mar  1 00:11:11.551: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency

  For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
  Hub:
  interface Tunnel0
   ip address 172.16.1.1 255.255.255.0
   no ip redirects
   no ip next-hop-self eigrp 10
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   no ip split-horizon
   ip summary-address eigrp 10 10.1.0.0 255.255.0.0
   tunnel source 1.1.1.1
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end
  spoke 1: 
  interface Tunnel0
   ip address 172.16.1.7 255.255.255.0
   no ip redirects
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp map 172.16.1.1 1.1.1
   ip nhrp map multicast 1.1.1.1
   ip nhrp network-id 1
   ip nhrp nhs 172.16.1.1
   ip summary-address eigrp 10 10.7.0.0 255.255.0.0
   tunnel source GigabitEthernet0/0
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end
  Spoke 2:
  interface Tunnel0
   ip address 172.16.1.6 255.255.255.0
   no ip redirects
   no ip split-horizon eigrp 10
   ip nhrp authentication _GW_
   ip nhrp map multicast dynamic
   ip nhrp map 172.16.1.1 1.1.1.1
   ip nhrp map multicast 1.1.1.1
   ip nhrp network-id 1
   ip nhrp nhs 172.16.1.1
   ip summary-address eigrp 10 10.6.0.0 255.255.0.0
   tunnel source GigabitEthernet0/0
   tunnel mode gre multipoint
   tunnel protection ipsec profile dmvpn
  end

• DMVPN security per spoke

  Hello,
  I currently have a DMVPN configuration with an isakmp key that is used for all spokes.  Is there a way to create a key per spoke or another method of configuring security per spoke so if someone leaves the company I can remove config from the HUB and they can no longer connect?
  Thank you,
  Scott

  If your spokes have dynamic IP addresses, you are out of luck with PSKs. In these scenarios, using certificates is the way to go. If your spokes have fixed IPs, you can configure the PSKs individually, but you lose spoke-to-spoke communication.

• DMVPN spoke to spoke connection

  Hi Everyone,
  Need to confirm on DMVPN say  if R1 is hub and R2 and R3 are spoke.
  IF R2 need to talk to R3 it will use NHRP and will go to R3 via  R1 ?
  Is there any way that R2 can talk to R3 directly using NHRP?
  Regards
  MAhesh

  You mix some functionalities here:
  NHRP is used in DMVPN to register the spokes on the hub and give them the possibility to ask the hub for actual spoke-addresses. With that, NHRP is always between the spokes and the hub. just see this as control-traffic. There is no need to takl spoke-to-spoke here.
  When the spoke is aware of the public IP of a different spoke it want's to talk to, then the IPSec-connection is buid directly between the spokes.
  Sent from Cisco Technical Support iPad App

• Dmvpn - all traffic via tunnel ?

  Q: I have a dmvpn to a spoke connected via dsl.
  presently I have route 0.0.0.0 0.0.0.0 via pppoe (dslam) This allows me to find the home end of the tunnel and bring the tunnel up.
  How do I tell the spoke router to route all traffic via the tunnel?
  I have eigrp up at the spoke and have advertised 20 or so networks, but i need to provide internet access via this tunnel.
  Thanks

  I think in this case you can use "vrf"
  Just allocate all interfaces into VRF except one which is attached to the internet.

• FlexVPN Spoke to Spoke issues

  Config:
  Hub:
  interface Virtual-Template1 type tunnel
  description FlexVPN hub-to-spokes
  ip unnumbered Loopback100
  ip mtu 1400
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  Spokes:
  interface Tunnel0
  description FlexVPN tunnel
  ip address negotiated
  ip mtu 1400
  ip nhrp network-id 1
  ip nhrp shortcut virtual-template 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  delay 1000
  tunnel source Vlan1
  tunnel destination x.x.x.x
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  interface Virtual-Template1 type tunnel
  description FlexVPN spoke-to-spoke
  ip unnumbered Loopback101
  ip nhrp network-id 1
  ip nhrp shortcut virtual-template 1
  ip nhrp redirect
  tunnel protection ipsec profile default
  Hub-Spoke works perfectly. 
  When pinging from a spoke to another spoke's LAN IP, the router misses one ping, returns 1 or two, then missing all other pings until the next reload (clear crypto session does not reset fully).  The spoke used to ping will bring up a Virtual Access interface, and then immediately bing up a second Virtual Access interface, then show an invalid SPI is shown (authentication is identical).
  Unfortunately, the issue is not always consistent.  Sometimes, after a reload on all routers, one router will retain the ability to ping, other times no routers can ping.  Here is an example:
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:
  Dec 21 19:38:20.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x,
  prot=50, spi=0xE4981ED6(3835174614), srcaddr=x.x.x.x, input interface=Dialer0...
  Success rate is 40 percent (2/5), round-trip min/avg/max = 96/100/104 ms
  Thanks for any help

  John,
  The error means that no matching SPI was found for inbound encrypted traffic on that ingress interface.
  Is that your interface towards ISP? If so and the SPI actually exists in your SADB but somehow is not associated properly.
  When/if opening a case please attach:
  - show crypto ipsec sa
  - show crypto map
  (taken ideally before and after trying to do spoke-to-spoke tunnel)
  I found reference to a similar problem in our archive, but customer become unresponsive after a while and no resolution was provided.
  One thing you CAN try is to go to 15.2.4M-latest. And see if the problem persists.
  M.

• Running DMVPN Hub and Spoke on same router?

  My client has a project in which traffic flow is hierarchial in nature.  Using DMVPNs, the design is for a "center" router to be a DMVPN spoke to the cloud above it, and a DMVPN Hub to the cloud below it.  I have tried to lab this up, but no success.  I initially build the center router as a DMVPN spoke to teh upper cloud and all is well.  As soon as I had the second tunnel config (as the DMVPN hub to the lower cloud), the first tunnel goes down and my EIGRP flaps.  Im running EIGRP across the DMVPN tunnels.  The two DMVPN clouds are using different network IDs and are running separate EIGRP routing instances.
  I can post configs if desired - just wanted to see if anyone is doing this or knows whether it is possible. 
  Jeff          

  Hi,
  I know it is possible using two DMVPN clouds, but it seems that you need DMVPN phase 3 in this situation. This is suitable for the hierarchical model you want. Take a look at the following link
  http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
  Hope this helps.

• IPv6 WAN Adresses on DMVPN Hubs and Spokes

  Hi,
  I have one question about IPv6 and DMVPN. Let's assume we have a DMVPN Hub Site running IPv6 IP addresses on the WAN Interfaces and Spoke Sites running either IPv4 or IPv6 IP adresses on their WAN Interfaces.
  In IPv4 only Networks, the Tunnel Konfiguration looked like that:
  interface Tunnel 1
  <...>
  ip nhrp map multicast <IPv4 NMBA>
  ip nhrp map 10.0.10.1 <IPv4 NMBA>
  There are IPv6 nhrp commands as well, but they can only map an IPv6 Address to an IPv4 NMBA:
  interface Tunnel1
  <...>
  ipv6 nhrp map multicast <IPv4 NMBA>
  ipv6 nhrp map <IPv6 Tunnel Adress> <IPv4 NMBA>
  I'm wondering how you would configure DMVPN for a network using IPv6 on their WAN Interfaces ??
  Best regards,
  Thomas

  Thomas,
  VTI1(config-if)#ip nhrp map 1.2.3.4 ?  A.B.C.D     IP NBMA address  A.B.C.D     IP mask of destination  X:X:X:X::X  IPv6 NBMA address
  and
  VTI1(config-if)#ipv6 nhrp map 2001:db8::1/128 ?  A.B.C.D     IPv4 NBMA address  X:X:X:X::X  IPv6 NBMA address
  I _seem_to_remember_ this was added in 15.2T  but can't find it back.
  M.

• DMVPN Phase 3 dual cloud Spoke-to-Spoke communication

  Hello,
  I'd like to confirm/verify if Phase 3 allows Spokes in different DMVPN domains to communicate directly or is traffic from Spoke-DMVPN-A routed across the Hubs to Spoke-DMVPN-B? Any authoritative documentation on CCO on this specific scenario is greatly appreciated.
  Thanks.
  -Mike

  Mike, 
  I might be off, not working with VPNs for a year now, but here goes. 
  It really depends on what is a domain for you. Remember that NHRP network ID is locally significant.
  Ultimately same network ID allows NHRP resolution requests to jump between different tunnels. 
  If network ID is different then the "domain" is different and NHRP should not flow between. 
  For the rest it's all based on routing, it's just a question of making conscious design choices before deploying and a bit of testing. 
  M.

• DMVPN with 270 spokes

  Hi
  We have a DMVPN network with about 270 spokes (831) and 2 hubs (3825). We run EIGRP in all branch of the network.
  We had experience many problems so far, but one of them seems to be related with the amount of traffic that is generated when some of our hub went down for about 15 to 30 seconds. All of our spokes start blinking on EIGRP but our VPN still up. Here is some of our messages that we have on Hub side (peer goodbye receive, stuck in active, hold timer expire). Our EIGRP timer are 5/15 but we tried 60/180, but we had the same issue.
  We have a fiber 5Mb on one hub and the other hub have 10Mb fiber link.
  Does anyone heard someting about that ?
  Thank your very much for your help.

  This problem may happen because of various reasons like one of the neighbors reseting the other due to routes stuck in active, some router reporting a k-value mismatch, etc. Following links may help you
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800949ab.shtml
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093feb.shtml

• Spoke-to-spoke limitations in DMVPN

  Hi,
  I would like to know if there's a way to mix point-to-point spokes and multipoint spokes in one DMVPN cloud.
  We would have 1 HUB, several spokes who only need to talk with the hub, and some spokes who may need to talk to other spokes. All spokes would be configured as multipoint. Is there a way to limit the multipoint spokes to make connections to the "point-to-point" spokes ?
  thx
  elke

  Yes, you can do it by removing related ACL for the concern spokes
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

• FlexVPN Spoke-to-Spoke Routing Override Loop

  I have a Spoke Router, this Router hat a Routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the tranfer network):
  ip route 192.168.1.0 255.255.255.0 10.1.1.1
  After active the FlexVPN i get the Routing override, then the routing is 192.168.1.0 255.255.255.0 tunnel0 in the Soke-Router. I lost the right routing, and i get the loop from Center to 192.168.1.0.
  How can i let the Spoke Router to ignore the Routing from himself from Center?

  One was would be to increase distance of routes received from hub. 
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp1846954161