DMVPN
Hi , I am setting up an MPLS network for a customer with over 500 sites. There will be two core data centres and the others spokes/remote sites. Customer does not trust MPLS core and so wants an additional layer of ipsec security.
I have come up with the best solution as been the DMVPN ( Dynamic Multipoint VPN ). However it only supports OSPF and EIGRP and we are running BGP with the ISP at PE level.
DO YOU KNOW OF A WORK AROUND ON HOW DMVPNs can work with BGP.
Regards.
I think DMVPNs can work with BGP however there are practical limitations to this. For example, if you have 300 spokes all configured in the same AS, they will need seperate peerings with one another. This will require n(n-1)/2 peerings = 44850 seperate TCP sessions configured. Using DMVPN, BGP will not dynamically create TCP sessions between the spokes. You will still need to apply this configuration manually for each spoke. Configuring full mesh peerings between all your spoke routers effectively eliminates the original benefits offered by DMVPN, as the amount of configuration and maintenance required does not make it an scalable option. For this reason, EIGRP is the recommended protocol to be used with DMVPN.
Similar Messages
-
DMVPN-Why received packet doesn't use UDP port 4500 but 500?
Hello everyone
I got a problem with my DMVPN. Spoke is behind a NAT device. x.x.x.x is an public IP address which hub uses. I don't know why it discovered that the hub is also inside a NAT device. And after it sends a packet using port 4500, the received packet from hub was not using port 4500 but 500. I'm confused now. Any advise would be much appreciated.
*Sep 10 08:56:02 UTC: ISAKMP:(0): beginning Main Mode exchange
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching
*Sep 10 08:56:02 UTC: ISAKMP:(0): local preshared key found
*Sep 10 08:56:02 UTC: ISAKMP : Scanning profiles for xauth ...
*Sep 10 08:56:02 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 10 08:56:02 UTC: ISAKMP: encryption 3DES-CBC
*Sep 10 08:56:02 UTC: ISAKMP: hash MD5
*Sep 10 08:56:02 UTC: ISAKMP: default group 1
*Sep 10 08:56:02 UTC: ISAKMP: auth pre-share
*Sep 10 08:56:02 UTC: ISAKMP: life type in seconds
*Sep 10 08:56:02 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 10 08:56:02 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Sep 10 08:56:02 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 10 08:56:02 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching x.x.x.x
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is Unity
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is DPD
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): speaking to another IOS box!
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): NAT found, both nodes inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): My hash no match - this node inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Send initial contact
*Sep 10 08:56:02 UTC: ISAKMP:(2746):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 10 08:56:02 UTC: ISAKMP (2746): ID payload
next-payload : 8
type : 1
address : 192.168.1.101
protocol : 17
port : 0
length : 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Total payload length: 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Sep 10 08:56:03 UTC: ISAKMP (2746): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 10 08:56:03 UTC: ISAKMP:(2746): phase 1 packet is a duplicate of a previous packet.
*Sep 10 08:56:03 UTC: ISAKMP:(2746): retransmitting due to retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH...
*Sep 10 08:56:04 UTC: ISAKMP (2746): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.This could be because the port 4500 packet that is being sent is not being received by the peer side or it is ignoring that packet.
Since the port 500 packet that you are receiving is a duplicate of the previous packet it is definitely not a reply packet for the port 4500 packet.
If you can get the debugs from the other end, then you could see if the peer side is receiving the udp port 4500 packets.
If not that then this could be a UDP port 4500 block with the ISP. -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast. -
Multiple DMVPN Instances on Same WAN Interface
Hi Folks,
Is it possible to run Multiple DMVPN Instances on a single WAN Interface ? Can we for example configure 3 Tunnels on a Router using one same WAN Interface but running separate EIGRP Instances for each Tunnel ? Kindly let me know , AliouneHi Alioune,
Yes you can create DMVPN as you said with one WAN interface that is possible..... you can have multiple tunnel interfaces pointed to a WAN interface as the source interface which resides in public zone..... with different public ip's as the destination tunnel...
interface Tunnel1
description ** A-VPN Tunnel **
bandwidth 100000
ip vrf forwarding red
ip address 10.0.252.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
load-interval 60
tunnel source GigabitEthernet0/0 (WAN Interface)
tunnel destination 1.1.1.1
tunnel protection ipsec profile dmvpn
interface Tunnel1
description ** B-VPN Tunnel **
bandwidth 100000
ip vrf forwarding red
ip address 10.0.252.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
load-interval 60
tunnel source GigabitEthernet0/0 (WAN Interface)
tunnel destination 2.1.1.1
tunnel protection ipsec profile dmvpn
like the above..... shown sample...
Please rate if the given information helps!!! -
Dual-DMVPN Design with Dual Hubs on a single router ??
Hi All,
In DMVPN, in Dual-DMVPN Design with Dual Hubs , can a single router perform the role of dual hubs.
The router has two different internet links. It is intended that when one link goes down, spokes shud connect to the same router onto the other active internet connection. Is this possible ?Since no one has answered yet, I'll give you the practical answer.
You'll have issues with IPSec and static routing. "DMVPN" itself probably wouldn't have an issue, but it would depend on IPSec and routing to work.
It is easier, by far, to put in a second router. And when you factor in your time to try to make it work (and it may not work), the second router is less expensive.
Rob -
Hi all,
We have configured a DMVPN from our headquarter to our branch offices (let's say BR1-BR3) .
We have noticed that sometime we cannot access some of our branch office, the scenario is like this:
- sometime, BR1 and BR2 are down but BR3 is working fine
- sometime, BR2 and BR3 are down but BR1 is working fine
- sometime, BR1 and BR3 are down but BR2 is working fine
- sometime, only one branch office is down and others are working fine
the hub is a cisco 3845, the IOS is c3845-advipservicesk9-mz.124-5c.bin
from the log, we have
*Sep 7 11:28:59.260: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor x.x.x.x (Tunnel100) is down: stuck in active
*Sep 7 11:29:01.052: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor x.x.x.x (Tunnel100) is up: new adjacency
we do not know why it is down, there is no problem on the connection between the headquarter and branche offices.
Any suggestion are appreciated.Hi Portu,
please, find below the answer:
Are you able to ping from tunnel interface to tunnel interface?
yes, we are able to ping tunnel interface to tunnel interface
Does the IPsec tunnel come down (show crypto isakmp sa)?
no, we see the status is ACTIVE
Does the tunnel interface come down (show interface tunnel x or show ip interface brief)?
the tunnel is UP
Any ISAKMP / IPsec related logs during the failure?
How often does it happen?
sometimes, many times in one day
sometimes, every 1 or 2 days
Does it recover by itself?
yes, it does
but after rebooting devices, it works fine again
Please, let us know if you need more information. -
DMVPN phase I fails when migrating from PSK to RSIG
I am currently is the process of migrating my DMVPN network from pre-share key to certificates. Most of the spokes have come up and are working without any issues but there are several that are not making it past phase I. I have included the isakmp debugging from the hub and one of the spokes that are failing. I see that the hub is going QM_IDLE after receiving the certificate from the spoke but it does not look like the spoke ever receives the cert from the hub. I suspect an issue with the ISP but it's not as simple as filtering 500 as all the messages except the cert seem to make it. If I move the spoke back to PSK it works fine. Has anyone seen this issue before and what was the resolution?
DMVPN Hub
Oct 7 19:38:36.213: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.213: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F1AA7CC5920
Oct 7 19:38:36.213: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.213: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):found peer pre-shared key matching 2.8.51.58
Oct 7 19:38:36.214: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.214: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.214: ISAKMP: hash MD5
Oct 7 19:38:36.214: ISAKMP: default group 1
Oct 7 19:38:36.214: ISAKMP: auth RSA sig
Oct 7 19:38:36.214: ISAKMP: life type in seconds
Oct 7 19:38:36.214: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.214: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.214: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.214: ISAKMP:(0): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 7 19:38:36.214: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 7 19:38:36.240: ISAKMP (0): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 7 19:38:36.240: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.240: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 7 19:38:36.240: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants cert issued by cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is DPD
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): speaking to another IOS box!
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID seems Unity/DPD but major 209 mismatch
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is XAUTH
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): His hash no match - this node outside NAT
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): No NAT Found for self or peer
Oct 7 19:38:36.242: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.242: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP (38618): constructing CERT_REQ for issuer cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.243: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.243: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.243: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.243: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 7 19:38:36.484: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 7 19:38:36.484: ISAKMP:(38618): processing ID payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.484: ISAKMP:(38618): processing CERT payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP:(38618): processing a CT_X509_SIGNATURE cert
Oct 7 19:38:36.484: ISAKMP:(38618): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): peer's pubkey is cached
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): Unable to get DN from certificate!
Oct 7 19:38:36.485: ISAKMP:(38618): processing SIG payload. message ID = 0
Oct 7 19:38:36.486: ISAKMP:received payload type 17
Oct 7 19:38:36.486: ISAKMP:(38618): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x7F1AA7CC5920
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618):SA has been authenticated with 2.8.51.58
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618): Process initial contact,
bring down existing phase 1 and 2 SA's with local 15.18.1.1 remote 2.8.51.58 remote port 500
Oct 7 19:38:36.486: ISAKMP:(38617):received initial contact, deleting SA
Oct 7 19:38:36.486: ISAKMP:(38617):peer does not do paranoid keepalives.
Oct 7 19:38:36.486: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.486: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.486: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 7 19:38:36.487: ISAKMP: set new node 2177251913 to QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.487: ISAKMP:(38617):purging node 2177251913
Oct 7 19:38:36.487: ISAKMP:(38617):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 7 19:38:36.487: ISAKMP:(38617):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.487: ISAKMP:(38618):Using FQDN as My ID
Oct 7 19:38:36.487: ISAKMP:(38618):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.487: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : selurt-dmvpn-01.nvv.net.company.com
protocol : 17
port : 500
length : 44
Oct 7 19:38:36.487: ISAKMP:(38618):Total payload length: 44
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.488: ISAKMP:(38618): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for hostname=selurt-dmvpn-01.nvv.net.company.com,serialNumber=4279180096
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.489: ISAKMP:(38618): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.494: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.494: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38617):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.494: ISAKMP:(38617):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 7 19:38:36.494: ISAKMP:(38618):IKE_DPD is enabled, initializing timers
Oct 7 19:38:36.494: ISAKMP:(38618): IKE->PKI End PKI Session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618): PKI->IKE Ended PKI session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:46.492: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:46.492: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:46.492: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:46.992: ISAKMP (38618): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:46.992: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:46.992: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:38:56.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:56.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:56.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:56.981: ISAKMP (38618): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:56.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:56.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:06.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:06.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:06.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:06.981: ISAKMP (38618): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:06.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:06.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:09.880: ISAKMP:(38616):purging SA., sa=7F1AA7721158, delme=7F1AA7721158
selurt-dmvpn-01#
Oct 7 19:39:16.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:16.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:16.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:16.980: ISAKMP (38618): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:16.980: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:16.980: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:26.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:26.482: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:26.482: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:26.981: ISAKMP (38618): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:26.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:26.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:36.493: ISAKMP:(38617):purging SA., sa=7F1AA79AD9E0, delme=7F1AA79AD9E0
DMVPN Spoke
Oct 7 19:38:36.181: ISAKMP:(0): SA request profile is (NULL)
Oct 7 19:38:36.181: ISAKMP: Created a peer struct for 15.18.1.1, peer port 500
Oct 7 19:38:36.181: ISAKMP: New peer created peer = 0x2B1F480C peer_handle = 0x80001DF4
Oct 7 19:38:36.181: ISAKMP: Locking peer struct 0x2B1F480C, refcount 1 for isakmp_initiator
Oct 7 19:38:36.181: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:38:36.181: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B16C9FC
Oct 7 19:38:36.181: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 7 19:38:36.181: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.181: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 7 19:38:36.181: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 7 19:38:36.181: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 7 19:38:36.181: ISAKMP:(0): beginning Main Mode exchange
Oct 7 19:38:36.181: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 7 19:38:36.181: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.205: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 7 19:38:36.205: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.205: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.205: ISAKMP : Scanning profiles for xauth ...
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.205: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.205: ISAKMP: hash MD5
Oct 7 19:38:36.205: ISAKMP: default group 1
Oct 7 19:38:36.205: ISAKMP: auth RSA sig
Oct 7 19:38:36.205: ISAKMP: life type in seconds
Oct 7 19:38:36.205: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.205: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.205: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP (0): constructing CERT_REQ for issuer cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.209: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 7 19:38:36.209: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.209: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.209: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 7 19:38:36.233: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 7 19:38:36.233: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.233: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 7 19:38:36.233: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants cert issued by cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.249: Choosing trustpoint TP_NAD_CA as issuer
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is Unity
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is DPD
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): speaking to another IOS box!
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): His hash no match - this node outside NAT
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): No NAT Found for self or peer
Oct 7 19:38:36.249: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.249: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 7 19:38:36.249: ISAKMP:(8329):Send initial contact
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.249: ISAKMP:(8329):Using FQDN as My ID
Oct 7 19:38:36.249: ISAKMP:(8329):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.249: ISAKMP (8329): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.249: ISAKMP:(8329):Total payload length: 42
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP:(8329): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP (8329): constructing CERT payload for hostname=lvrirt-s2s-01.nvv.net.company.com,serialNumber=FCZ163860KW
Oct 7 19:38:36.253: ISKAMP: growing send buffer from 1024 to 3072
Oct 7 19:38:36.253: ISAKMP:(8329): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:36.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.449: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.449: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 7 19:38:36.481: ISAKMP (8328): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:46.449: ISAKMP (8329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:54.709: ISAKMP:(8327):purging node 1841056658
Oct 7 19:38:54.709: ISAKMP:(8327):purging node -57107868
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:56.449: ISAKMP (8329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:04.709: ISAKMP:(8327):purging SA., sa=3169E824, delme=3169E824
Oct 7 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:39:06.181: ISAKMP:(8329):SA is still budding. Attached new ipsec request to it. (local 2.8.51.58, remote 15.18.1.1)
Oct 7 19:39:06.181: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 7 19:39:06.181: ISAKMP: Error while processing KMI message 0, error 2.
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:06.449: ISAKMP (8329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:10.261: ISAKMP:(8328):purging node -1445247076
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:16.449: ISAKMP (8329): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:20.261: ISAKMP:(8328):purging SA., sa=2AD85BD0, delme=2AD85BD0
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:26.449: ISAKMP (8329): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:36.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:36.449: ISAKMP:(8329):peer does not do paranoid keepalives.
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)Mike,
Hub sends its cert but spoke never recives that, this is typically a problem with fragmentation handling in transit networks.
Sniff both end you control and check whether you're not missing any fragments on spoke end.
Could be as simple as an MTU problem on your end or could be something in the path attempting reassambly.
Multiple ways to go, check your end, if fragments are missing in transit - start investigating with ISP(s).
M. -
Reliability of DMVPN as primary link
Hi,
We are planning to implement DMVPN (phase 3) through internet to connect 100 plus locations (including business critical locations) . These locations are located around the globe including embargoed countries. However , while browsing through various case studies of DMVPN implementation, we understand the solution is used a backup link and not primary link for many of companies. Would like to know from you anyone that if the solution is successful as primary link as well. Kindly advise..
Regards,
Jubair.SDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Case studies using DMVPN as a backup, are more due, I believe, to the question of reliability of the "Internet" rather than the DMVPN technology, itself.
I used to work within an international company with offices all over the world. Usually we had a private WAN link and Internet VPN link to each site. Although Internet VPN was "sold" to management as a lower cost backup/secondary, we usually treated the two links equally (as they had about the same bandwidths). I saw very little difference in performance between the two technologies. Regarding reliability, in 1st world countries, reliability was about the same. In 3rd work countries, VPN actually has a slight edge (because if was often newer infrastructure and a primary focus for the country's build outs [i.e. everyone wants Internet access]). -
DMVPN w/ Multicasting setup/questions
Hello
I have a lot of questions, so bare with me as i puke them out of my head.
I have been doing some testing with DMVPN inconjuction with multicasting video (Hub and spoke, w/ no spoke to spoke). The test setup is using 2 cisco 2811 w/out the vpn module. I understand the performance hit with not having the module. With that being said here are my questions.
1. With encryption on both the HUB and spoke routers are using 90-97% cpu (8Mb multicast stream). With encryption off, the Hub is around 60%, and spoke around 75%. Here is where i'm confused. If i send that same stream as a unicast stream, w/ encryption on, both the Hub and spoke are only using around 30-35% cpu. Why is there so much more cpu need when its a multicast stream?
2. In the current config i'm seeing input, throttles, and ignore errors on the Hub and spoke. The Hub has these errors on the LAN interface, and the spoke has these errors on the WAN interface. All other interfaces are totally clean. I have checked and there are no duplex or speed mismatches. Any ideas?
HUB:
Current configuration : 1837 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hub
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone Central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip name-server 8.8.8.8
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 450
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 216.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.112.64.5 255.255.248.0
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.112.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip http server
ip http authentication local
ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public RO
Spoke:
Current configuration : 1857 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Spoke
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp map 192.168.11.1 216.x.x.x
ip nhrp map multicast 216.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 192.168.11.1
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 216.x.x.x
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 65.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.124.64.1 255.255.248.0
ip pim sparse-mode
ip igmp join-group 239.10.10.10
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.124.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.x.x.x
no ip http server
no ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public ROJoe,
You ask the right question.
CPU ultization = CPU consumed by processes + IO operations (in a huge simplification - CEF)
Typically when a packet is processed by router we expect it to be be processed by CEF, i.e. very fast.
Packet is not processed by CEF:
- when there is something missing to route the packet properly (think missing ARP/CAM entry) i.e. additional lookup needs to be done.
- a feature requests that a packet is for processing/mangling
- Packet is destined to the router
(And several other, but those are the major ones).
When a packet is recived, but cannot be processed by CEF, we "punt the packet to CPU" this in turn will cause the CPU for processes to go up.
Now on the spoke this seems to be the problem:
Spoke#show ip cef switching stati Reason Drop Punt Punt2HostRP LES Packet destined for us 0 1723 0RP LES Encapsulation resource 0 1068275 0
There were also some failures on one of the buffer outputs you've attached.
Typically at this stage I would suggest:
1) "Upgrade" the device to 15.0(1)M6 or 12.4(15)T (latest image in this branch) and check if the problem persists there.
2) If it does, swing it by TAC. I don't see any obvious mistakes, but I'm just a guy in a chair same as you ;-)
Marcin -
Is it possible to have 2 DMVPN tunnels on a spoke router having 2 ISPs to the same hub?
I have a router R1 acting as a hub for DMVPN. I have a spoke router R2 which has 2 ISPs. Can I establish a DMVPN tunnel via each ISPs to R1 from R2?
the other posters are correct all you need is osx lion. i have tried it out and it works.
the bottom line and most important thing to remember about multiple users using the same mac is:
each user needs their seperate account. for example, if bob is on the screen, and tim logs on using vnc
then tim gets his own desktop and kbd and mouse. but if bob is on the screen and bob logs on using vnc
then they share the same desktop
so if u want say 2 or 5 users or whatever the limit is, and i don't know. you are going to need 2 or 5 or whatever
seperate users
on the host mac you go into system preferences, sharing, screen sharing, and turn it on
and on the remote mac you run finder, click on connect to server and type vnc:// and the address to the computer
like vnc://192.168.1.4 and it should work great over the local network
theres no other hardware or software you need, you just need to be running osx lion
there is also vnc clients available you can download that might be better then the vnc client in finder -
Failover DMVPN hup-spoke setup
This is the current setup:
crypto keyring LAN-to-LAN
pre-shared-key address A key 1
pre-shared-key address B key 2
pre-shared-key address C key 3
pre-shared-key address D key 4
pre-shared-key address E key 5
pre-shared-key address F key 6
pre-shared-key address G key 7
pre-shared-key address H key 8
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile DMVPN
keyring LAN-to-LAN
match identity address A 255.255.255.255
match identity address B 255.255.255.255
match identity address C 255.255.255.255
match identity address D 255.255.255.255
match identity address E 255.255.255.255
match identity address F 255.255.255.255
match identity address G 255.255.255.255
match identity address H 255.255.255.255
crypto ipsec transform-set AES256_SHA-transport esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set AES256_SHA-transport
set isakmp-profile DMVPN
interface Tunnel0
bandwidth 50000
ip address 192.168.192.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Dyn4m1c
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
load-interval 30
tunnel source Vlan10
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/1
description Verizon Ethernet Internet [10Mbps]
ip address 157.130.x.x 255.255.255.252
ip accounting output-packets
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
interface FastEthernet0/0/3
description Optimum Lightpath Internet [50Mbps]
switchport access vlan 10
load-interval 30
duplex full
speed 100
interface Vlan10
description Optimum Lightpath Internet [50Mbps]
ip address 173.251.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
router eigrp 90
network 10.192.28.0 0.0.0.255
network 10.192.29.0 0.0.0.255
network 192.168.44.0
network 192.168.192.0
ip route 0.0.0.0 0.0.0.0 157.130.x.x
ip route 10.192.29.0 255.255.255.0 10.192.28.2
ip route A 255.255.255.255 173.251.x.x
ip route B 255.255.255.255 173.251.x.x
ip route C 255.255.255.255 173.251.x.x
ip route D 255.255.255.255 173.251.x.x
ip route E 255.255.255.255 173.251.x.x
ip route F 255.255.255.255 173.251.x.x
ip route G 255.255.255.255 173.251.x.x
ip route H 255.255.255.255 173.251.x.x
Can I just double it and use IP SLA route tracking for redundancy? So I would add the following to the above:
interface Tunnel1
bandwidth 50000
ip address 192.168.192.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Dyn4m1c
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
load-interval 30
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
track 1 ip sla 1
delay down 15 up 15
ip sla 1
icmp-echo 64.106.227.1 source-interface VLAN10
frequency 5
ip sla schedule 1 life forever start-time now
ip route 10.192.29.0 255.255.255.0 10.192.28.2
ip route A 255.255.255.255 173.251.x.x track 1
ip route A 255.255.255.255 157.130.x.x 200
ip route B 255.255.255.255 173.251.x.x track 1
ip route B 255.255.255.255 157.130.x.x 200
ip route C 255.255.255.255 173.251.x.x track 1
ip route C 255.255.255.255 157.130.x.x 200
ip route D 255.255.255.255 173.251.x.x track 1
ip route D 255.255.255.255 157.130.x.x 200
ip route E 255.255.255.255 173.251.x.x track 1
ip route E 255.255.255.255 157.130.x.x 200
ip route F 255.255.255.255 173.251.x.x track 1
ip route F 255.255.255.255 157.130.x.x 200
ip route G 255.255.255.255 173.251.x.x track 1
ip route G 255.255.255.255 157.130.x.x 200
ip route H 255.255.255.255 173.251.x.x track 1
ip route H 255.255.255.255 157.130.x.x 2001) You can't use same ip address on both tunnels.
2) I can't see any "ip nhrp nhs" or static mappings configuration on your tunnels. Configuration is not operational.
3) It is preferred to use tunnel VRFs for redundancy with two uplinks.
Please refer to
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
Please let me know if you need additional assistance with configuration.
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer." -
Hello,
We've running into an issue where a DMVPN spoke is not setting up an NHRP session with the HUB.
The situation: our spoke router (R1) get its internet connection from an average DSL router. This router has a common 192.168.1.0/24 subnet with DHCP on it. So our Spoke router gets 192.168.1.2 from the DHCP server. Next it sets up ISAKMP and a NHRP session with the hub and all is working well.
Next up is the second spoke (R2). Different location but same DSL router with the same 192.168.1.0/24 with DHCP on the inside. The spoke router connects to the LAN, gets 192.168.1.2, sets up an ISAKMP tunnel and next it wants to set up the NHRP session. Then we hit the following error:
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:7,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
2 UNKNOWN 10.255.11.2 NHRP never IX
0 UNKNOWN 10.255.11.7 NHRP never IX
1 192.168.1.2 10.255.11.4 UP 1d06h D
1 192.168.2.100 10.255.11.5 UP 2d22h D
The session will not establish because the hub already has an association with a peer that has 192.168.1.2 as its NBMA address. A workaround is to set a different fixed IP or use a different MAC to get another IP.
This is a different problem than the one that "ip nhrp registration no-unique" fixes. That happens when the same spoke connects to the hub but with a different IP address than before. In this case we have two spokes with identical NBMA addresses (allthough they are behind different public IP's).I may not be completely up to date on this. But NHRP should make a differentiation based on NBMA address even if claimed IP address is the same (didn't test it).
So a couple of questions:
- What version on spoke/hub
- Is transport mode configured and operational.
- Show us "show ip nhrp" from hub. -
Problem when applying IPSEC to DMVPN
Hi i have some trouble with DMVPN
i configured NHRP between a HUB and aSPOKE:
HUB
tu0 tu1
| |
ISP
|
tu0,tu1
SPOKE
the HUB has two physical interfaces and two logical interfaces.
The SPOKE has one physical interface and two logical interfaces.
in configured NHRP correctly, the tunnels are detected in the HUB and the SPOKE.
when i add the profile IPSEC to the intefaces i lose tunnel1.
SPOKE1#sh ip nhrp
10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire
Type: static, Flags: authoritative used
NBMA address: 190.1.1.1
10.2.2.4/32 via 10.2.2.4, Tunnel1 created 02:18:21, never expire
Type: static, Flags: authoritative used
NBMA address: 190.1.2.1
SPOKE1#debug ip nhrp
tunnel0
*Mar 1 03:50:09.399: NHRP: Attempting to send packet via DEST 10.1.1.4
*Mar 1 03:50:09.399: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.1.1
*Mar 1 03:50:09.399: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 82
*Mar 1 03:50:09.403: src: 10.1.1.1, dst: 10.1.1.4
*Mar 1 03:50:09.403: NHRP: 82 bytes out Tunnel0
*Mar 1 03:50:09.519: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 102
*Mar 1 03:50:09.519: NHRP: netid_in = 0, to_us = 1
tunnel 1
*Mar 1 03:50:30.575: NHRP: Attempting to send packet via DEST 10.2.2.4
*Mar 1 03:50:30.575: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
*Mar 1 03:50:30.575: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 03:50:30.579: src: 10.2.2.1, dst: 10.2.2.4
*Mar 1 03:50:30.579: NHRP: 82 bytes out Tunnel1
*Mar 1 03:50:30.579: NHRP: Resetting retransmit due to hold-timer for 10.2.2.4
no reply from the HUB.
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:05:05, expire 00:08:29
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.11
just tunnel0 is there !
i have also this on the HUB :
*Mar 1 03:58:54.519: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 191.1.1.11 (physical adress of SPOKE1)
configs :
HUB :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key techservices address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 10000
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 123
ip nhrp authentication dmvpn1
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 10000
ip address 10.2.2.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 124
ip nhrp authentication dmvpn2
ip nhrp map multicast dynamic
ip nhrp network-id 124
no ip split-horizon eigrp 124
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
SPOKE1:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key techservices address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 10000
ip address 10.1.1.1 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 10000
ip address 10.2.2.1 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
regardsbut when i add an other SPOKE there is a problem :
HUB
| |
SPOKE1___ ISP__SPOKE2
HUB:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 123
ip nhrp authentication dmvpn1
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 1000
ip address 10.2.2.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 124
ip nhrp authentication dmvpn2
ip nhrp map multicast dynamic
ip nhrp network-id 124
no ip split-horizon eigrp 124
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
SPOKE1 :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
interface Tunnel1
bandwidth 1000
ip address 10.2.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN shared
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
SPOKE2 :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
interface Tunnel1
bandwidth 1000
ip address 10.2.2.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN shared
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.2.0 0.0.0.255
no auto-summary
HUB:
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:15:17, expire 00:09:21
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.11
10.1.1.2/32 via 10.1.1.2, Tunnel0 created 00:12:09, expire 00:07:50
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
10.2.2.1/32, Tunnel1 created 00:02:57, expire 00:00:07
Type: incomplete, Flags: negative
Cache hits: 7
10.2.2.2/32 via 10.2.2.2, Tunnel1 created 00:12:00, expire 00:07:58
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
HUB can't have the NBMA adress for 10.2.2.1 for SPOKE1
HUB#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
*Mar 1 00:45:18.431: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 124
*Mar 1 00:45:18.435: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:45:18.435: NHRP: No node found..
*Mar 1 00:45:07.131: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 124
*Mar 1 00:45:07.131: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:48:30.759: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:48:30.763: NHRP: No node found.
*Mar 1 00:48:30.763: NHRP: Attempting to send packet via DEST 10.2.2.1
*Mar 1 00:48:30.767: NHRP: Send Resolution Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 00:48:30.771: src: 10.2.2.4, dst: 10.2.2.1
*Mar 1 00:48:30.771: NHRP: Encapsulation failed for destination 10.2.2.1 out Tunnel1
SPOKE1#
*Mar 1 00:53:38.695: NHRP: Setting retrans delay to 64 for nhs dst 10.2.2.4
*Mar 1 00:53:38.699: NHRP: Attempting to send packet via DEST 10.2.2.4
*Mar 1 00:53:38.699: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
*Mar 1 00:53:38.703: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 00:53:38.711: src: 10.2.2.1, dst: 10.2.2.4
*Mar 1 00:53:38.715: NHRP: 82 bytes out Tunnel1
no reply from the HUB
SPOKE1#ping 10.2.2.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.4, timeout is 2 seconds:
Success rate is 0 percent (0/5)
the SPOKE can't reach 10.2.2.4
after a few time :
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:25:03, expire 00:09:35
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 191.1.1.11
10.1.1.2/32 via 10.1.1.2, Tunnel0 created 00:21:55, expire 00:08:03
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
10.2.2.2/32 via 10.2.2.2, Tunnel1 created 00:21:47, expire 00:08:12
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
only 3 tunnels -
Does LMS 4.2.1. display DMVPN tunnels at topology service?
Hi,
Can you ask at question in header please?
Thanks,
OlegNot generally.
I haven't tried it; but if your DMVPN tunnel is running with GRE mode (vs the more common IPsec) you may be able to enable CDP on the tunnel interface at both ends (must be explicitly enabled - even if CDP is globally enabled) and discover the neighbor relationship that way. -
DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router
Hi Guys,
I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.
I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
Thanks,
Aj.Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
1) what RProtocol r u using?
a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
(on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
(I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
3) are your tunnels config correctly? try show crypto ipsec sa
a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
4) on your hub'spoke do a debug ip icmp
a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
Additional to the info above, Please also note :
I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.
From HUB router I'm able to ping clients behind Spokes.
Does that give any Ideas ?
Thanks in Advance.
Aj. -
DMVPN GRE over IPSEC Packet loss
I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
BrendenHave you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?
Maybe you are looking for
-
First Day of Week in Data Entry Profile
Does anyone know if there is a standard SAP RFC i can use in my Web Dynpro application to get the First Day of Week entry in a user's Data Entry Profile? Thanks, -Kevin
-
I try to click and drag music from my music from Itunes into my story line and nothing happens. it won't move into the story line
-
New iTunes 6.1 works like a charm, but...
I am pleased to mention that since I upgrade my iTunes about 1 month ago or so, to 6.1, it's just like the version 4 from last year when I got my eMac. My 'But' issue today is this constant need for rebuffering before the full broadcast is linked. Th
-
Am trying to use the copy command in SQL*Plus to copy a table from an Oracle database to a local table on my machine in another format. Keep getting errors. It seems to contact the remote machine fine, but can't locate my local machine or figure out
-
Writting to Network Attached Storage (NAS)
I need to write to a NAS device attached to a Solaris box. We are running Websphere 4.0x on the application server. Any information would be helpful - thanks