Nhrp issue

Similar Messages

• DMVPN NHRP issue

  I have a phase 2 DMVPN network with approx 40 spoke routers and dual hub routers. 90% of this is working very well. However I have 3 or 4 spoke routers that are unable to communicate with each other directly (traffic goes via the hub router between these specific sites) however they are able to coomunicate directly with the other 35 or so routers. I think this is an NHRP issue as when I do show ip nhrp detail on one of these 4 routers, the other 3 routers display a (no socket) entry. I am able to clear this "sometimes" by clear ip nhrp. Whenever the (no scoket) entry is there spoke to spoke communication does not work. Any help would be greatly appreciated.

  pradeepde,
  Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
  Thanks again

• Show ip nhrp issue

        my company uses dmvpn to connect with branch，but sometime when i “show ip nhrp bri " , i got some issus ,
        the show information
  3925VPN#sho ip nhrp bri
    Target            Via            NBMA          Mode  Intfc  Claimed
  192.168.96.2/32      192.168.96.2    58.22.127.76    dynamic  Tu100  <  >
  192.168.96.3/32      192.168.96.3    incomplete
  192.168.96.4/32      192.168.96.4    incomplete
  192.168.96.5/32      192.168.96.5    incomplete
  192.168.96.6/32      192.168.96.6    incomplete
  192.168.96.7/32      192.168.96.7    incomplete
  192.168.96.8/32      192.168.96.8    incomplete
  192.168.96.9/32      192.168.96.9    incomplete
  192.168.96.10/32    192.168.96.10  incomplete
  192.168.96.11/32    192.168.96.11  incomplete
  192.168.96.12/32    192.168.96.12  incomplete
  192.168.96.13/32    192.168.96.13  incomplete
  192.168.96.14/32    192.168.96.14  incomplete
  192.168.96.15/32    192.168.96.15  incomplete
  192.168.96.16/32    192.168.96.16  incomplete
  192.168.96.17/32    192.168.96.17  incomplete
  192.168.96.18/32    192.168.96.18  incomplete
  192.168.96.19/32    192.168.96.19  incomplete
  192.168.96.20/32    192.168.96.20  incomplete
  192.168.96.21/32    192.168.96.21  incomplete
  192.168.96.22/32    192.168.96.22  incomplete
  192.168.96.23/32    192.168.96.23  incomplete
  192.168.96.24/32    192.168.96.24  incomplete
  192.168.96.25/32    192.168.96.25  incomplete
  192.168.96.27/32    192.168.96.27  incomplete
  192.168.96.28/32    192.168.96.28  incomplete
  192.168.96.29/32    192.168.96.29  incomplete
  192.168.96.30/32    192.168.96.30  incomplete
  192.168.96.31/32    192.168.96.31  incomplete
  192.168.96.32/32    192.168.96.32  incomplete
  192.168.96.33/32    192.168.96.33  incomplete
  192.168.96.34/32    192.168.96.34  incomplete
  192.168.96.35/32    192.168.96.35  incomplete
  192.168.96.36/32    192.168.96.36  incomplete
  192.168.96.37/32    192.168.96.37  incomplete
  192.168.96.38/32    192.168.96.38  incomplete
  192.168.96.39/32    192.168.96.39  incomplete
  192.168.96.40/32    192.168.96.40  incomplete
  192.168.96.41/32    192.168.96.41  incomplete
  192.168.96.42/32    192.168.96.42  incomplete
  192.168.96.43/32    192.168.96.43  incomplete
  192.168.96.44/32    192.168.96.44  incomplete
  192.168.96.45/32    192.168.96.45  incomplete
  192.168.96.46/32    192.168.96.46  incomplete
  192.168.96.47/32    192.168.96.47  incomplete
  192.168.96.48/32    192.168.96.48  incomplete
  192.168.96.49/32    192.168.96.49  incomplete
  192.168.96.50/32    192.168.96.50  incomplete
  192.168.96.51/32    192.168.96.51  incomplete
  192.168.96.52/32    192.168.96.52  incomplete
  192.168.96.53/32    192.168.96.53  incomplete
  192.168.96.54/32    192.168.96.54  incomplete
  192.168.96.55/32    192.168.96.55  incomplete
  192.168.96.56/32    192.168.96.56  incomplete
  192.168.96.57/32    192.168.96.57  incomplete
  192.168.96.58/32    192.168.96.58  incomplete
  192.168.96.59/32    192.168.96.59  incomplete
  192.168.96.60/32    192.168.96.60  incomplete
  192.168.96.61/32    192.168.96.61  incomplete
  192.168.96.62/32    192.168.96.62  incomplete
  192.168.96.63/32    192.168.96.63  incomplete
  192.168.96.64/32    192.168.96.64  incomplete
  192.168.96.65/32    192.168.96.65  incomplete
  192.168.96.66/32    192.168.96.66  incomplete
  192.168.96.67/32    192.168.96.67  incomplete
  192.168.96.68/32    192.168.96.68  incomplete
  192.168.96.69/32    192.168.96.69  incomplete
  192.168.96.70/32    192.168.96.70  incomplete
  192.168.96.71/32    192.168.96.71  incomplete
  192.168.96.72/32    192.168.96.72  incomplete
  192.168.96.73/32    192.168.96.73  incomplete
  192.168.96.74/32    192.168.96.74  incomplete
  192.168.96.75/32    192.168.96.75  incomplete
  192.168.96.76/32    192.168.96.76  incomplete
  192.168.96.77/32    192.168.96.77  incomplete
  192.168.96.78/32    192.168.96.78  incomplete
  192.168.96.79/32    192.168.96.79  incomplete
  192.168.96.80/32    192.168.96.80  incomplete
  192.168.96.81/32    192.168.96.81  incomplete
  192.168.96.82/32    192.168.96.82  incomplete
  192.168.96.83/32    192.168.96.83  incomplete
  192.168.96.84/32    192.168.96.84  incomplete
  192.168.96.85/32    192.168.96.85  incomplete
  192.168.96.86/32    192.168.96.86  incomplete
  192.168.96.87/32    192.168.96.87  incomplete
  192.168.96.88/32    192.168.96.88  incomplete
  192.168.96.89/32    192.168.96.89  incomplete
  192.168.96.90/32    192.168.96.90  incomplete
  192.168.96.91/32    192.168.96.91  incomplete
  192.168.96.92/32    192.168.96.92  incomplete
  192.168.96.93/32    192.168.96.93  incomplete
  192.168.96.94/32    192.168.96.94  incomplete
  192.168.96.95/32    192.168.96.95  incomplete
  192.168.96.96/32    192.168.96.96  incomplete
  192.168.96.97/32    192.168.96.97  incomplete
  192.168.96.98/32    192.168.96.98  incomplete
  192.168.96.99/32    192.168.96.99  incomplete
  192.168.96.100/32    192.168.96.100  incomplete
  192.168.96.101/32    192.168.96.101  incomplete
  192.168.96.102/32    192.168.96.102  incomplete
  192.168.96.103/32    192.168.96.103  incomplete
  192.168.96.104/32    192.168.96.104  incomplete
  192.168.96.105/32    192.168.96.105  incomplete
  192.168.96.106/32    192.168.96.106  incomplete
  192.168.96.107/32    192.168.96.107  incomplete
  192.168.96.108/32    192.168.96.108  incomplete
  192.168.96.109/32    192.168.96.109  incomplete
  192.168.96.110/32    192.168.96.110  incomplete
  192.168.96.111/32    192.168.96.111  incomplete
  192.168.96.112/32    192.168.96.112  incomplete
  192.168.96.113/32    192.168.96.113  incomplete
  192.168.96.114/32    192.168.96.114  incomplete
  192.168.96.115/32    192.168.96.115  incomplete
  192.168.96.116/32    192.168.96.116  incomplete
  192.168.96.117/32    192.168.96.117  incomplete
  192.168.96.118/32    192.168.96.118  incomplete
  192.168.96.119/32    192.168.96.119  incomplete
  192.168.96.120/32    192.168.96.120  incomplete
  192.168.96.121/32    192.168.96.121  incomplete
  192.168.96.122/32    192.168.96.122  incomplete
  192.168.96.123/32    192.168.96.123  incomplete
  192.168.96.124/32    192.168.96.124  incomplete
  192.168.96.125/32    192.168.96.125  incomplete
  192.168.96.126/32    192.168.96.126  incomplete
  192.168.96.127/32    192.168.96.127  incomplete
  192.168.96.128/32    192.168.96.128  incomplete
  192.168.96.129/32    192.168.96.129  incomplete
  192.168.96.130/32    192.168.96.130  180.213.2.250  dynamic  Tu100  <  >
  192.168.96.131/32    192.168.96.131  202.100.251.242 dynamic  Tu100  <  >
  192.168.96.134/32    192.168.96.134  219.143.238.165 dynamic  Tu100  <  >
  192.168.96.135/32    192.168.96.135  221.226.40.34  dynamic  Tu100  <  >
  192.168.96.136/32    192.168.96.136  180.166.39.6    dynamic  Tu100  <  >
  192.168.96.137/32    192.168.96.137  incomplete
  192.168.96.138/32    192.168.96.138  incomplete
  192.168.96.139/32    192.168.96.139  incomplete
  192.168.96.140/32    192.168.96.140  incomplete
  192.168.96.141/32    192.168.96.141  incomplete
  192.168.96.142/32    192.168.96.142  incomplete
  192.168.96.143/32    192.168.96.143  incomplete
  192.168.96.144/32    192.168.96.144  incomplete
  192.168.96.145/32    192.168.96.145  incomplete
  192.168.96.146/32    192.168.96.146  incomplete
  192.168.96.147/32    192.168.96.147  incomplete
  192.168.96.148/32    192.168.96.148  incomplete
  192.168.96.149/32    192.168.96.149  incomplete
  192.168.96.150/32    192.168.96.150  incomplete
  192.168.96.151/32    192.168.96.151  incomplete
  192.168.96.152/32    192.168.96.152  incomplete
  192.168.96.153/32    192.168.96.153  incomplete
  192.168.96.154/32    192.168.96.154  incomplete
  192.168.96.155/32    192.168.96.155  incomplete
  192.168.96.156/32    192.168.96.156  incomplete
  192.168.96.157/32    192.168.96.157  incomplete
  192.168.96.158/32    192.168.96.158  incomplete
  192.168.96.159/32    192.168.96.159  incomplete
  192.168.96.160/32    192.168.96.160  incomplete
  192.168.96.161/32    192.168.96.161  incomplete
  192.168.96.162/32    192.168.96.162  incomplete
  192.168.96.163/32    192.168.96.163  incomplete
  192.168.96.164/32    192.168.96.164  incomplete
  192.168.96.165/32    192.168.96.165  incomplete
  192.168.96.166/32    192.168.96.166  incomplete
  192.168.96.167/32    192.168.96.167  incomplete
  192.168.96.168/32    192.168.96.168  incomplete
  192.168.96.169/32    192.168.96.169  incomplete
  192.168.96.170/32    192.168.96.170  incomplete
  192.168.96.171/32    192.168.96.171  incomplete
  192.168.96.172/32    192.168.96.172  incomplete
  192.168.96.173/32    192.168.96.173  incomplete
  192.168.96.174/32    192.168.96.174  incomplete
  192.168.96.175/32    192.168.96.175  incomplete
  192.168.96.176/32    192.168.96.176  incomplete
  192.168.96.177/32    192.168.96.177  incomplete
  192.168.96.178/32    192.168.96.178  incomplete
  192.168.96.179/32    192.168.96.179  incomplete
  192.168.96.180/32    192.168.96.180  incomplete
  192.168.96.181/32    192.168.96.181  incomplete
  192.168.96.182/32    192.168.96.182  incomplete
  192.168.96.183/32    192.168.96.183  incomplete
  192.168.96.184/32    192.168.96.184  incomplete
  192.168.96.185/32    192.168.96.185  incomplete
  192.168.96.186/32    192.168.96.186  incomplete
  192.168.96.187/32    192.168.96.187  incomplete
  192.168.96.188/32    192.168.96.188  incomplete
  192.168.96.189/32    192.168.96.189  incomplete
  192.168.96.190/32    192.168.96.190  incomplete
  192.168.96.191/32    192.168.96.191  incomplete
  192.168.96.192/32    192.168.96.192  incomplete
  192.168.96.193/32    192.168.96.193  incomplete
  192.168.96.194/32    192.168.96.194  incomplete
  192.168.96.195/32    192.168.96.195  incomplete
  192.168.96.196/32    192.168.96.196  incomplete
  192.168.96.197/32    192.168.96.197  incomplete
  192.168.96.198/32    192.168.96.198  incomplete
  192.168.96.199/32    192.168.96.199  incomplete
  192.168.96.200/32    192.168.96.200  incomplete
  192.168.96.201/32    192.168.96.201  incomplete
  192.168.96.202/32    192.168.96.202  incomplete
  192.168.96.203/32    192.168.96.203  incomplete
  192.168.96.204/32    192.168.96.204  incomplete
  192.168.96.205/32    192.168.96.205  incomplete
  192.168.96.206/32    192.168.96.206  incomplete
  192.168.96.207/32    192.168.96.207  incomplete
  192.168.96.208/32    192.168.96.208  incomplete
  192.168.96.209/32    192.168.96.209  incomplete
  192.168.96.210/32    192.168.96.210  incomplete
  192.168.96.211/32    192.168.96.211  incomplete
  192.168.96.212/32    192.168.96.212  incomplete
  192.168.96.213/32    192.168.96.213  incomplete
  192.168.96.214/32    192.168.96.214  incomplete
  192.168.96.215/32    192.168.96.215  incomplete
  192.168.96.216/32    192.168.96.216  incomplete
  192.168.96.217/32    192.168.96.217  incomplete
  192.168.96.218/32    192.168.96.218  incomplete
  192.168.96.219/32    192.168.96.219  incomplete
  192.168.96.220/32    192.168.96.220  incomplete
  192.168.96.221/32    192.168.96.221  incomplete
  192.168.96.222/32    192.168.96.222  incomplete
  192.168.96.223/32    192.168.96.223  incomplete
  192.168.96.224/32    192.168.96.224  incomplete
  192.168.96.225/32    192.168.96.225  incomplete
  192.168.96.226/32    192.168.96.226  incomplete
  192.168.96.227/32    192.168.96.227  incomplete
  192.168.96.228/32    192.168.96.228  incomplete
  192.168.96.229/32    192.168.96.229  incomplete
  192.168.96.231/32    192.168.96.231  incomplete
  192.168.96.232/32    192.168.96.232  incomplete
  192.168.96.233/32    192.168.96.233  incomplete
  192.168.96.234/32    192.168.96.234  incomplete
  192.168.96.235/32    192.168.96.235  incomplete
  192.168.96.236/32    192.168.96.236  incomplete
  192.168.96.237/32    192.168.96.237  incomplete
  192.168.96.238/32    192.168.96.238  incomplete
  192.168.96.239/32    192.168.96.239  incomplete
  192.168.96.240/32    192.168.96.240  incomplete
  192.168.96.241/32    192.168.96.241  incomplete
  192.168.96.242/32    192.168.96.242  incomplete
  192.168.96.243/32    192.168.96.243  incomplete
  192.168.96.244/32    192.168.96.244  incomplete
  192.168.96.245/32    192.168.96.245  incomplete
  192.168.96.246/32    192.168.96.246  incomplete
  192.168.96.247/32    192.168.96.247  incomplete
  192.168.96.248/32    192.168.96.248  incomplete
  192.168.96.249/32    192.168.96.249  incomplete
  192.168.96.250/32    192.168.96.250  incomplete
  192.168.96.251/32    192.168.96.251  incomplete
  192.168.96.252/32    192.168.96.252  incomplete
  192.168.96.253/32    192.168.96.253  incomplete
  192.168.96.254/32    192.168.96.254  incomplete
  usually， when i  show the same information after a while ，the nhrp get the normal
  3925VPN#sho ip nhrp bri
    Target            Via            NBMA          Mode  Intfc  Claimed
  192.168.96.2/32      192.168.96.2    58.22.127.76    dynamic  Tu100  <  >
  192.168.96.130/32    192.168.96.130  180.213.2.250  dynamic  Tu100  <  >
  192.168.96.131/32    192.168.96.131  202.100.251.242 dynamic  Tu100  <  >
  192.168.96.132/32    192.168.96.132  incomplete
  192.168.96.133/32    192.168.96.133  incomplete
  192.168.96.134/32    192.168.96.134  219.143.238.165 dynamic  Tu100  <  >
  192.168.96.135/32    192.168.96.135  221.226.40.34  dynamic  Tu100  <  >
  192.168.96.136/32    192.168.96.136  180.166.39.6    dynamic  Tu100  <  >
  why this happened ，top players ， thx~~~~~         

  pradeepde,
  Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
  Thanks again

• ZBF review and Issues on 871W

  Hello, i am working with 871w and i am trying to switch form ip inspect to zone-based firewall.  Below are the class-maps, policy-map, zone-pairs, zones, and ACLs.  The issues i am having is that onces i depoly the ZBF, i can not get ip via DHCP.  Please review and suggest any impovements or fixes needed?
  class-map type inspect match-any Egress-Filter match access-group name egress-filter
  class-map type inspect match-any Guest_Protocols match protocol http
  match protocol https match protocol dns
  class-map type inspect match-any Ingress-Filter match access-group name ingress-filter
  class-map type inspect match-any All_Protocols match protocol tcp
  match protocol udp match protocol icmp
  class-map type inspect match-all DHCP-Allow match access-group name dhcp-allow
  policy-map type inspect Self_to_Internet class type inspect Egress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Internet_to_Self class type inspect Ingress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Trusted_To_Self class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Guest_to_Internet class type inspect Guest_Protocols
    inspect
  class class-default
    drop log
  policy-map type inspect Internet_to_Guest class type inspect Ingress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Trusted_to_Self class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Self_to_Trusted class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Trusted_to_Internet class type inspect All_Protocols
    inspect
  class class-default
    drop log
  policy-map type inspect Internet_to_Trusted class type inspect Ingress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Guest_to_Self class type inspect All_Protocols  inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Self_to_Guest
  class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  zone-pair security Trusted->Internet source Trusted destination Internet service-policy type inspect Trusted_to_Internet
  zone-pair security Guest->Internet source Guest destination Internet service-policy type inspect Guest_to_Internet
  zone-pair security Internet->Trusted source Internet destination Trusted service-policy type inspect Internet_to_Trusted
  zone-pair security Internet->Guest source Internet destination Guest service-policy type inspect Internet_to_Guest
  zone-pair security Self->Internet source self destination Internet service-policy type inspect Self_to_Internet
  zone-pair security Internet->Self source Internet destination self service-policy type inspect Internet_to_Self
  zone-pair security Self->Trusted source self destination Trusted service-policy type inspect Self_to_Trusted
  zone-pair security Trusted->Self source Trusted destination self service-policy type inspect Trusted_to_Self
  zone-pair security Self->Guest source self destination Guest service-policy type inspect Self_to_Guest
  zone-pair security Guest->Self source Guest destination self service-policy type inspect Guest_to_Self
  zone security Trustedzone security Guestzone security Internet
  ip access-list extended NAT deny   ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
  permit ip any any
  ip access-list extended dhcp-allow permit udp any eq bootps any
  permit udp any any eq bootpc
  permit udp any any eq bootps
  permit udp any eq bootpc any
  ip access-list extended egress-filter permit ip <REMOVED> 0.0.0.2 any
  remark ----- Junk Traffic -----
  deny   ip any host <REMOVED>
  deny   ip any host <REMOVED>
  deny   ip host <REMOVED> any
  deny   ip host <REMOVED> any
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip any any
  ip access-list extended ingress-filter remark ----- Allow access from work
  permit ip <REMOVED> 0.0.0.127 any
  permit ip <REMOVED 0.0.0.31 any
  permit ip <REMOVED> 0.0.0.255 any
  permit esp any host <REMOVED>
  permit gre any host <REMOVED>
  permit udp any host <REMOVED> eq isakmp
  remark ----- To get IP form COX -----
  permit udp any eq bootps any eq bootpc deny   icmp any any
  deny   udp any any eq echo
  deny   udp any eq echo any
  deny   tcp any any fragments
  deny   udp any any fragments
  deny   ip any any fragments
  deny   ip any any option any-options
  deny   ip any any ttl lt 4
  deny   ip any host <REMOVED>
  deny   ip any host <REMOVED>
  deny   udp any any range 33400 34400
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  deny   ip <REMOVED> 0.0.0.3 any
  deny   ip any any

  Running Config
  ! Last configuration change at 05:24:59 AZT Sun Feb 19 2012 by asucrews
  ! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews
  version 12.4
  configuration mode exclusive auto expire 600
  parser cache
  no service log backtrace
  no service config
  no service exec-callback
  service nagle
  service slave-log
  no service slave-coredump
  no service pad to-xot
  no service pad from-xot
  no service pad cmns
  no service pad
  no service telnet-zeroidle
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  no service exec-wait
  service linenumber
  no service internal
  no service scripting
  no service compress-config
  service prompt config
  no service old-slip-prompts
  service pt-vty-logging
  no service disable-ip-fast-frag
  service sequence-numbers
  hostname rtwan
  boot-start-marker
  boot-end-marker
  logging exception 4096
  logging count
  no logging message-counter log
  no logging message-counter debug
  logging message-counter syslog
  no logging snmp-authfail
  no logging userinfo
  logging buginf
  logging queue-limit 100
  logging queue-limit esm 0
  logging queue-limit trap 100
  logging buffered 65536
  no logging persistent
  logging rate-limit 512 except critical
  logging console guaranteed
  logging console critical
  logging monitor debugging
  logging on
  enable secret 5
  enable password 7
  aaa new-model
  aaa group server radius rad_eap
  server auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa accounting network acct_methods
  action-type start-stop
  group rad_acct
  aaa session-id common
  memory-size iomem 10
  clock timezone AZT -7
  clock save interval 8
  errdisable detect cause all
  errdisable recovery interval 300
  dot11 syslog
  dot11 activity-timeout unknown default 60
  dot11 activity-timeout client default 60
  dot11 activity-timeout repeater default 60
  dot11 activity-timeout workgroup-bridge default 60
  dot11 activity-timeout bridge default 60
  dot11 ssid guestonpg
  vlan 2
  authentication open
  authentication key-management wpa optional
  guest-mode
  wpa-psk ascii 7
  dot11 ssid playground
  vlan 1
  authentication open
  authentication key-management wpa optional
  wpa-psk ascii 7
  dot11 aaa csid default
  no ip source-route
  no ip gratuitous-arps
  ip icmp redirect subnet
  ip spd queue threshold minimum 73 maximum 74
  ip options drop
  ip dhcp bootp ignore
  ip dhcp excluded-address 192.168.16.33 192.168.16.40
  ip dhcp excluded-address 192.168.16.1 192.168.16.7
  ip dhcp pool vlan1pool
     import all
     network 192.168.16.0 255.255.255.224
     default-router 192.168.16.1
     domain-name jeremycrews.home
     lease 4
  ip dhcp pool vlan2pool
     import all
     network 192.168.16.32 255.255.255.224
     default-router 192.168.16.33
     domain-name guest.jeremycrews.home
     lease 0 6
  ip cef
  ip inspect name firewall tcp router-traffic
  ip inspect name firewall udp router-traffic
  ip inspect name firewall icmp router-traffic
  no ip bootp server
  no ip domain lookup
  ip domain name jeremycrews.home
  ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33
  ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34
  ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35
  ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36
  ip host ooma.jeremycrews.home 192.168.16.5
  ip host xbox.jeremycrews.home 192.168.16.6
  ip host wii.jeremycrews.home 192.168.16.7
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip accounting-threshold 100
  ip accounting-list 192.168.16.0 0.0.0.31
  ip accounting-list 192.168.16.32 0.0.0.31
  ip accounting-transits 25
  ip igmp snooping vlan 1
  ip igmp snooping vlan 1 mrouter learn pim-dvmrp
  ip igmp snooping vlan 2
  ip igmp snooping vlan 2 mrouter learn pim-dvmrp
  ip igmp snooping
  login block-for 120 attempts 5 within 60
  login delay 5
  login on-failure log
  parameter-map type inspect log
  audit-trail on
  dot1x system-auth-control
  memory free low-watermark processor 65536
  memory free low-watermark IO 16384
  file prompt alert
  emm clear 1b5b324a1b5b303b30480d
  vtp file flash:vlan.dat
  vtp mode server
  vtp version 1
  username privilege 15 password 7
  username privilege 15 password 7
  no crypto isakmp diagnose error
  archive
  log config
    no record rc
    logging enable
    no logging persistent reload
    no logging persistent
    logging size 255
    notify syslog contenttype plaintext
    no notify syslog contenttype xml
    hidekeys
  path tftp://192.168.16.12/rtwan-config
  maximum 10
  no rollback filter adaptive
  rollback retry timeout 0
  write-memory
  time-period 10080
  scripting tcl low-memory 28965007
  scripting tcl trustpoint untrusted terminate
  no scripting tcl secure-mode
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  ip ssh break-string ~break
  ip ssh logging events
  ip ssh version 2
  ip ssh dh min size 1024
  class-map type inspect match-any Egress-Filter
  match access-group name egress-filter
  class-map type inspect match-any Guest_Protocols
  match protocol http
  match protocol https
  match protocol dns
  match protocol bootpc
  match protocol bootps
  class-map type inspect match-any Ingress-Filter
  match access-group name ingress-filter
  class-map type inspect match-any All_Protocols
  match protocol tcp
  match protocol udp
  match protocol icmp
  class-map type inspect match-all DHCP-Allow
  match access-group name dhcp-allow
  policy-map type inspect Self_to_Internet
  class type inspect Egress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Internet_to_Self
  class type inspect Ingress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Self_To_Self
  class class-default
    drop log
  policy-map type inspect Trusted_To_Self
  class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Guest_to_Internet
  class type inspect Guest_Protocols
    inspect
  class class-default
    drop log
  policy-map type inspect Internet_to_Guest
  class type inspect Ingress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Trusted_to_Self
  class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Self_to_Trusted
  class type inspect All_Protocols
    inspect
  class type inspect DHCP-Allow
    pass
  class class-default
    drop log
  policy-map type inspect Trusted_to_Internet
  class type inspect All_Protocols
    inspect
  class class-default
    drop log
  policy-map type inspect Internet_to_Trusted
  class type inspect Ingress-Filter
    inspect
  class class-default
    drop log
  policy-map type inspect Guest_to_Self
  class type inspect All_Protocols
    inspect
  class class-default
    drop log
  policy-map type inspect Self_to_Guest
  class type inspect All_Protocols
    inspect
  class class-default
    drop log
  zone security Trusted
  zone security Guest
  zone security Internet
  zone-pair security Trusted->Internet source Trusted destination Internet
  service-policy type inspect Trusted_to_Internet
  zone-pair security Guest->Internet source Guest destination Internet
  service-policy type inspect Guest_to_Internet
  zone-pair security Internet->Trusted source Internet destination Trusted
  service-policy type inspect Internet_to_Trusted
  zone-pair security Internet->Guest source Internet destination Guest
  service-policy type inspect Internet_to_Guest
  zone-pair security Self->Internet source self destination Internet
  service-policy type inspect Self_to_Internet
  zone-pair security Internet->Self source Internet destination self
  service-policy type inspect Internet_to_Self
  zone-pair security Self->Trusted source self destination Trusted
  service-policy type inspect Self_to_Trusted
  zone-pair security Trusted->Self source Trusted destination self
  service-policy type inspect Trusted_to_Self
  zone-pair security Self->Guest source self destination Guest
  service-policy type inspect Self_to_Guest
  zone-pair security Guest->Self source Guest destination self
  service-policy type inspect Guest_to_Self
  bridge irb
  interface Loopback0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  shutdown
  snmp trap link-status
  interface Null0
  no ip unreachables
  interface FastEthernet0
  description To switch
  switchport access vlan 1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1-4094
  switchport mode trunk
  switchport voice vlan none
  switchport priority extend none
  switchport priority default 0
  snmp trap link-status
  ip igmp snooping tcn flood
  interface FastEthernet1
  switchport access vlan 1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1-4094
  switchport mode trunk
  switchport voice vlan none
  switchport priority extend none
  switchport priority default 0
  shutdown
  snmp trap link-status
  spanning-tree portfast
  ip igmp snooping tcn flood
  interface FastEthernet2
  switchport access vlan 1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1-4094
  switchport mode access
  switchport voice vlan none
  switchport priority extend none
  switchport priority default 0
  shutdown
  snmp trap link-status
  spanning-tree portfast
  ip igmp snooping tcn flood
  interface FastEthernet3
  description Ooma Hub 192.168.16.5
  switchport access vlan 1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1-4094
  switchport mode access
  switchport voice vlan none
  switchport priority extend none
  switchport priority default 0
  shutdown
  snmp trap link-status
  spanning-tree portfast
  ip igmp snooping tcn flood
  interface FastEthernet4
  description Cox Internet Connection
  ip address dhcp
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip accounting access-violations
  ip flow ingress
  ip flow egress
  ip nat outside
  no ip virtual-reassembly
  duplex auto
  speed auto
  snmp trap link-status
  no cdp enable
  zone-member security Internet
  interface Dot11Radio0
  description Radio b/g
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  shutdown
  beacon period 100
  beacon dtim-period 2
  dot11 extension aironet
  encryption vlan 1 mode ciphers aes-ccm tkip wep128
  encryption vlan 2 mode ciphers aes-ccm tkip wep128
  broadcast-key vlan 1 change 3600 membership-termination
  broadcast-key vlan 2 change 3600 membership-termination
  ssid guestonpg
  ssid playground
  countermeasure tkip hold-time 60
  short-slot-time
  speed ofdm join
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  packet retries 64
  preamble-short
  channel least-congested
  fragment-threshold 2346
  station-role root
  rts threshold 2312
  rts retries 64
  antenna receive diversity
  antenna transmit diversity
  payload-encapsulation rfc1042
  snmp trap link-status
  interface Dot11Radio0.1
  description Home WLAN
  encapsulation dot1Q 1 native
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no snmp trap link-status
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.2
  description Guest WLAN
  encapsulation dot1Q 2
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no snmp trap link-status
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Vlan1
  description Home LAN
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  no ip virtual-reassembly
  autostate
  snmp trap link-status
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Vlan2
  description Guest LAN
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  no ip virtual-reassembly
  autostate
  snmp trap link-status
  bridge-group 2
  bridge-group 2 spanning-disabled
  interface BVI1
  description Home Bridge LAN to WLAN
  ip address 192.168.16.1 255.255.255.224
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  no ip virtual-reassembly
  snmp trap link-status
  zone-member security Trusted
  interface BVI2
  description Guest Bridge LAN to WLAN
  ip address 192.168.16.33 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  no ip virtual-reassembly
  snmp trap link-status
  zone-member security Guest
  ip classless
  ip forward-protocol nd
  no ip http server
  ip http port 80
  ip http authentication enable
  no ip http secure-server
  ip http secure-port 443
  ip http secure-active-session-modules all
  ip http max-connections 5
  ip http timeout-policy idle 180 life 180 requests 1
  ip http active-session-modules all
  ip http digest algorithm md5
  ip http client cache memory pool 100
  ip http client cache memory file 2
  ip http client cache ager interval 5
  ip http client connection timeout 10
  ip http client connection retry 1
  ip http client connection idle timeout 30
  ip http client response timeout 30
  ip http path
  ip flow-top-talkers
  top 10
  sort-by bytes
  ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53
  ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074
  ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80
  ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88
  ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53
  ip nat inside source list NAT interface FastEthernet4 overload
  ip access-list extended NAT
  deny   ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
  permit ip any any
  ip access-list extended dhcp-allow
  permit udp any eq bootps any
  permit udp any any eq bootpc
  permit udp any any eq bootps
  permit udp any eq bootpc any
  ip access-list extended egress-filter
  permit ip 0.0.0.2 any
  remark ----- Junk Traffic -----
  deny   ip any host
  deny   ip any host
  deny   ip host any
  deny   ip host any
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip any any
  ip access-list extended ingress-filter
  remark ----- Allow access from work
  permit ip 0.0.0.127 any
  permit ip 0.0.0.31 any
  permit ip 0.0.0.255 any
  permit esp any host
  permit gre any host
  permit udp any host eq isakmp
  remark ----- To get IP form COX -----
  permit udp any eq bootps any eq bootpc
  deny   icmp any any
  deny   udp any any eq echo
  deny   udp any eq echo any
  deny   tcp any any fragments
  deny   udp any any fragments
  deny   ip any any fragments
  deny   ip any any option any-options
  deny   ip any any ttl lt 4
  deny   ip any host
  deny   ip any host
  deny   udp any any range 33400 34400
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  deny   ip 0.0.0.2 any
  deny   ip any any
  no ip sla logging traps
  ip sla 1
  icmp-echo 8.8.4.4 source-interface FastEthernet4
  frequency 120
  history hours-of-statistics-kept 1
  history filter failures
  ip sla schedule 1 life forever start-time now
  ip sla 2
  icmp-echo 8.8.8.8 source-interface FastEthernet4
  frequency 30
  history hours-of-statistics-kept 1
  history filter failures
  ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive 5 action-type trapAndTrigger
  ip sla reaction-trigger 1 2
  logging history size 1
  logging history warnings
  logging trap informational
  logging delimiter tcp
  logging facility local7
  no logging source-interface
  access-list 1 permit 192.168.16.0 0.0.0.63
  access-list 20 permit 127.127.1.1
  access-list 20 permit 192.43.244.18
  access-list 20 permit 204.235.61.9
  access-list 20 permit 173.201.38.85
  access-list 20 permit 216.229.4.69
  access-list 20 permit 152.2.21.1
  access-list 20 permit 130.126.24.24
  access-list 21 permit 192.168.16.0 0.0.0.63
  access-list 22 permit 192.168.16.0 0.0.0.63
  mac-address-table aging-time 300
  cdp run
  snmp-server engineID local
  snmp-server view *ilmi system included
  snmp-server view *ilmi atmForumUni included
  snmp-server view v1default iso included
  snmp-server view v1default internet.6.3.15 excluded
  snmp-server view v1default internet.6.3.16 excluded
  snmp-server view v1default internet.6.3.18 excluded
  snmp-server view v1default ciscoMgmt.394 excluded
  snmp-server view v1default ciscoMgmt.395 excluded
  snmp-server view v1default ciscoMgmt.399 excluded
  snmp-server view v1default ciscoMgmt.400 excluded
  snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F ieee802dot11 included
  snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F internet included
  snmp-server community 1682CrewsSNMP v1default RW 22
  snmp-server priority normal
  no snmp-server trap link ietf
  snmp-server trap authentication vrf
  snmp-server trap authentication acl-failure
  snmp-server trap authentication unknown-content
  snmp-server packetsize 1500
  snmp-server queue-limit notification-host 10
  snmp-server chassis-id FHK111016LX
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps vrrp
  snmp-server enable traps tty
  snmp-server enable traps pw vc
  snmp-server enable traps isdn call-information
  snmp-server enable traps isdn layer2
  snmp-server enable traps isdn chan-not-avail
  snmp-server enable traps isdn ietf
  snmp-server enable traps disassociate
  snmp-server enable traps deauthenticate
  snmp-server enable traps authenticate-fail
  snmp-server enable traps dot11-qos
  snmp-server enable traps switch-over
  snmp-server enable traps rogue-ap
  snmp-server enable traps wlan-wep
  snmp-server enable traps adslline
  snmp-server enable traps flash insertion removal
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps config-ctid
  snmp-server enable traps entity
  snmp-server enable traps fru-ctrl
  snmp-server enable traps resource-policy
  snmp-server enable traps event-manager
  snmp-server enable traps hsrp
  snmp-server enable traps ipmulticast
  snmp-server enable traps msdp
  snmp-server enable traps mvpn
  snmp-server enable traps ospf state-change
  snmp-server enable traps ospf errors
  snmp-server enable traps ospf retransmit
  snmp-server enable traps ospf lsa
  snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
  snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
  snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
  snmp-server enable traps ospf cisco-specific errors
  snmp-server enable traps ospf cisco-specific retransmit
  snmp-server enable traps ospf cisco-specific lsa
  snmp-server enable traps cpu threshold
  snmp-server enable traps syslog
  snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
  snmp-server enable traps l2tun session
  snmp-server enable traps l2tun pseudowire status
  snmp-server enable traps vtp
  snmp-server enable traps aaa_server
  snmp-server enable traps atm subif
  snmp-server enable traps firewall serverstatus
  snmp-server enable traps isakmp policy add
  snmp-server enable traps isakmp policy delete
  snmp-server enable traps isakmp tunnel start
  snmp-server enable traps isakmp tunnel stop
  snmp-server enable traps ipsec cryptomap add
  snmp-server enable traps ipsec cryptomap delete
  snmp-server enable traps ipsec cryptomap attach
  snmp-server enable traps ipsec cryptomap detach
  snmp-server enable traps ipsec tunnel start
  snmp-server enable traps ipsec tunnel stop
  snmp-server enable traps ipsec too-many-sas
  snmp-server enable traps ipsla
  snmp-server host 192.168.16.10 traps version 1 udp-port 162
  snmp-server inform retries 3 timeout 15 pending 25
  snmp mib nhrp
  snmp mib notification-log globalsize 500
  snmp mib notification-log globalageout 15
  snmp mib community-map  ILMI engineid
  snmp mib community-map  engineid
  radius-server local
  no authentication mac
  eapfast authority id
  eapfast authority info
  eapfast server-key primary 7
  eapfast server-key secondary 7
  nas key 7
  group users
    vlan 1
    ssid playground
    block count 5 time 60
    reauthentication time 3600
  group guest
    vlan 2
    ssid guestonpg
    block count 3 time 60
    reauthentication time 3600
  user nthash 7 group users
  user nthash 7 group guest
  radius-server attribute 32 include-in-access-req format %h
  radius-server host auth-port 1645 acct-port 1646 key 7
  radius-server vsa send accounting
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  bridge 2 route ip
  bridge 3 protocol ieee
  bridge 3 route ip
  alias exec h help
  alias exec lo logout
  alias exec p ping
  alias exec r resume
  alias exec s show
  alias exec u undebug
  alias exec un undebug
  alias exec w where
  default-value exec-character-bits 7
  default-value special-character-bits 7
  default-value data-character-bits 8
  line con 0
  password 7
  logging synchronous
  no modem enable
  transport output ssh
  line aux 0
  password 7
  logging synchronous
  transport output ssh
  line vty 0 4
  password 7
  logging synchronous
  transport preferred ssh
  transport input all
  transport output ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  process cpu threshold type total rising 80 interval 10 falling 40 interval 10
  ntp authentication-key 1 md5 7
  ntp authenticate
  ntp trusted-key 1
  ntp source FastEthernet4
  ntp access-group peer 20
  ntp access-group serve-only 21
  ntp master 1
  ntp server 152.2.21.1 maxpoll 4
  ntp server 204.235.61.9 maxpoll 4
  ntp server 130.126.24.24
  ntp server 216.229.4.69 maxpoll 4
  ntp server 173.201.38.85 maxpoll 4
  cns id hostname
  cns id hostname event
  cns id hostname image
  cns image retry 60
  netconf max-sessions 4
  netconf lock-time 10
  netconf max-message 0
  event manager scheduler script thread class default number 1
  event manager scheduler applet thread class default number 32
  event manager history size events 10
  event manager history size traps 10
  end

• DmVPN MM_NO_STATE ISSUE

  dear all,
  am trying to connect a dynamic vpn between hq with public static ip 82.114.179.120 and branch with dynamic ip 46.35.80.59.
  state is varying between CONF_XAUTH and MM_NO_STATE.
  please can you go through the debug files to help solving the issue. Tunnel interface is 10. show run is after the debug.
  thanks for your support.
  regards,

  Hi Mr. Freak again,
  below is the latest config with MM_NO_STATE state.
  HQ which is configured to accecpt remote vpn client using crypto map is configured for dynamic vpn with branch.
  HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0
  Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.
  Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....
  HQ:
  aaa authentication login acs local
  aaa authorization network acs local
  aaa session-id common
  ip cef
  ip name-server 8.8.8.8
  no ipv6 cef
  multilink bundle-name authenticated
  redundancy
  controller VDSL 0/1/0
  crypto keyring ccp-dmvpn-keyring
    pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
  crypto isakmp policy 10
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp keepalive 3600 5
  crypto isakmp nat keepalive 3600
  crypto isakmp xauth timeout 60
  crypto isakmp client configuration group NAMA
   key namanama
   pool mypool
   acl 101
   save-password
  crypto isakmp profile ccp-dmvpn-isakmprofile
     keyring ccp-dmvpn-keyring
     match identity address 0.0.0.0
  crypto ipsec transform-set test esp-3des esp-md5-hmac
   mode tunnel
  crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
   mode transport
  crypto ipsec profile CiscoCP_Profile1
   set transform-set ESP-AES-MD5
   set isakmp-profile ccp-dmvpn-isakmprofile
  crypto dynamic-map map 10
   set transform-set test
   reverse-route
  crypto map i-map client authentication list acs
  crypto map i-map isakmp authorization list acs
  crypto map i-map client configuration address respond
  crypto map i-map 10 ipsec-isakmp dynamic map
  interface Tunnel10
   bandwidth 1000
   ip address 172.16.10.1 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication DMVPN_NW
   ip nhrp map multicast dynamic
   ip nhrp network-id 100000
   ip nhrp holdtime 360
   ip tcp adjust-mss 1360
   delay 1000
   shutdown
   tunnel source Dialer1
   tunnel mode gre multipoint
   tunnel key 100000
   tunnel protection ipsec profile CiscoCP_Profile1
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 192.168.0.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface ATM0/1/0
   description DSL Interface
   no ip address
   no atm ilmi-keepalive
   pvc 8/35
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
  interface Dialer0
   no ip address
  interface Dialer1
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   ppp authentication chap pap callin
   ppp chap hostname nama20004
   ppp chap password 0 220004
   ppp pap sent-username nama20004 password 0 220004
   crypto map i-map
  ip local pool mypool 192.168.30.1 192.168.30.100
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat inside source list 171 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 192.168.32.0 255.255.255.0 172.16.10.32
  access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
  access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
  access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
  access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
  access-list 171 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
  access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
  access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
  access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
  access-list 171 permit ip any any
  dialer-list 2 protocol ip permit
  HQ#sh cry isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  82.114.179.120  78.137.84.92    CONF_XAUTH        1486 ACTIVE
  82.114.179.120  78.137.84.92    MM_NO_STATE       1483 ACTIVE (deleted)
  82.114.179.120  78.137.84.92    MM_NO_STATE       1482 ACTIVE (deleted)
  Branch show run:
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp policy 11
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key users@NAMA address 82.114.179.105
  crypto isakmp key users@NAMA address 82.114.179.120
  crypto isakmp keepalive 10 periodic
  crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
   mode transport
  crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
   mode transport
  crypto ipsec profile CiscoCP_Profile1
   set transform-set ESP-AES-MD5
  crypto ipsec profile To-Taiz-Profile
   set transform-set To-Taiz
  interface Tunnel0
   bandwidth 1000
   ip address 172.16.0.32 255.255.255.0
   ip mtu 1400
   ip nhrp authentication DMVPN_NW
   ip nhrp map 172.16.0.1 82.114.179.105
   ip nhrp network-id 100000
   ip nhrp holdtime 360
   ip nhrp nhs 172.16.0.1
   ip tcp adjust-mss 1360
   delay 1000
   tunnel source Dialer0
   tunnel destination 82.114.179.105
   tunnel key 100000
   tunnel protection ipsec profile CiscoCP_Profile1
  interface Tunnel10
   bandwidth 1000
   ip address 172.16.10.32 255.255.255.0
   ip mtu 1400
   ip nhrp authentication DMVPN_NW
   ip nhrp map 172.16.10.1 82.114.179.120
   ip nhrp network-id 100000
   ip nhrp holdtime 360
   ip nhrp nhs 172.16.10.1
   ip tcp adjust-mss 1360
   delay 1000
   tunnel source Dialer0
   tunnel destination 82.114.179.120
   tunnel key 22334455
   tunnel protection ipsec profile To-Taiz-Profile
  interface Ethernet0
   no ip address
   shutdown
  interface ATM0
   no ip address
   no atm ilmi-keepalive
  interface ATM0.1 point-to-point
   pvc 8/35
    pppoe-client dial-pool-number 1
  interface FastEthernet0
   description ## CONNECT TO LAN ##
   no ip address
  interface FastEthernet1
   description ## CONNECT TO LAN ##
   no ip address
  interface FastEthernet2
   description ## CONNECT TO LAN ##
   no ip address
  interface FastEthernet3
   description ## CONNECT TO LAN ##
   no ip address
  interface Vlan1
   description ## LAN INTERFACE ##
   ip dhcp client hostname none
   ip address 192.168.32.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
  interface Dialer0
   ip address negotiated
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname mohammadaa
   ppp chap password 0 123456
   ppp pap sent-username mohammadaa password 0 123456
  ip forward-protocol nd
  ip http server
  ip http access-class 10
  ip http authentication local
  no ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 192.168.0.0 255.255.255.0 172.16.0.1
  ip route 192.168.1.0 255.255.255.0 172.16.10.1
  ip sla auto discovery
  dialer-list 1 protocol ip permit
  access-list 1 permit 192.168.32.0 0.0.0.255
  access-list 10 permit 192.168.1.0 0.0.0.255
  access-list 10 permit 192.168.0.0 0.0.0.255
  Branch#sh cry isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  82.114.179.120  78.137.84.92    MM_NO_STATE       2061 ACTIVE (deleted)
  82.114.179.120  78.137.84.92    MM_NO_STATE       2060 ACTIVE (deleted)

• FlexVPN Spoke to Spoke issues

  Config:
  Hub:
  interface Virtual-Template1 type tunnel
  description FlexVPN hub-to-spokes
  ip unnumbered Loopback100
  ip mtu 1400
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  Spokes:
  interface Tunnel0
  description FlexVPN tunnel
  ip address negotiated
  ip mtu 1400
  ip nhrp network-id 1
  ip nhrp shortcut virtual-template 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  delay 1000
  tunnel source Vlan1
  tunnel destination x.x.x.x
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  interface Virtual-Template1 type tunnel
  description FlexVPN spoke-to-spoke
  ip unnumbered Loopback101
  ip nhrp network-id 1
  ip nhrp shortcut virtual-template 1
  ip nhrp redirect
  tunnel protection ipsec profile default
  Hub-Spoke works perfectly. 
  When pinging from a spoke to another spoke's LAN IP, the router misses one ping, returns 1 or two, then missing all other pings until the next reload (clear crypto session does not reset fully).  The spoke used to ping will bring up a Virtual Access interface, and then immediately bing up a second Virtual Access interface, then show an invalid SPI is shown (authentication is identical).
  Unfortunately, the issue is not always consistent.  Sometimes, after a reload on all routers, one router will retain the ability to ping, other times no routers can ping.  Here is an example:
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:
  Dec 21 19:38:20.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x,
  prot=50, spi=0xE4981ED6(3835174614), srcaddr=x.x.x.x, input interface=Dialer0...
  Success rate is 40 percent (2/5), round-trip min/avg/max = 96/100/104 ms
  Thanks for any help

  John,
  The error means that no matching SPI was found for inbound encrypted traffic on that ingress interface.
  Is that your interface towards ISP? If so and the SPI actually exists in your SADB but somehow is not associated properly.
  When/if opening a case please attach:
  - show crypto ipsec sa
  - show crypto map
  (taken ideally before and after trying to do spoke-to-spoke tunnel)
  I found reference to a similar problem in our archive, but customer become unresponsive after a while and no resolution was provided.
  One thing you CAN try is to go to 15.2.4M-latest. And see if the problem persists.
  M.

• DMVPN phase 3 - scalability - nhrp generates high cpu load

  Hey all.
  Been running into a scalability issues with DMVPN. Mainly caused (as I see it) by NHRP.
  Scenario:
  IOS-SLB-based DMVPN solution in a dual-cloud setup. Practically it's 2 separate solutions with spokes having 2 tunnels (one in each cloud). See attachment sketch. We're running a phase 3 hierarchy design (trying at least)
  Spoke routers:
  - 2500 routers in a mixture of c871, c881, c2800, c2900. Need to scale to at least twice that.
  - Spoke-to-spoke is heavily used
  Farm routers:
  - Cisco 7201 with VAM2+. Around 1 router per 350 spokes (+1 for secondary tunnel)
  Superhub:
  - ASR 1004 (one for primary and one for secondary dmvpn-cloud).
  We're not running any IPSEC between the farms and the superhubs. Just regular unencrypted DMVPN (mGRE).
  Problem:
  - NHRP is causing high CPU load on the ASRs. With around 2000 spokes up and running on DMVPN the CPU is overloaded with NHRP traffic. We're talking like 60-70% load caused by the NHRP process alone!
  We're using 'ip nhrp interest' on all the spokes - and farms. We're in need of the spoke-to-spoke functionality so we allowing LAN-segments of our customers but denying everything else.
  Solutions?
  1. Turning off all NHRP resolutions? Basically remove any directly spoke-spoke communications (denying everything on the interest list). We can't go there since a lot of our customers are in dire need for directly spoke-spoke connectivity (due to latency). Haven't tested that it will actually give the much needed scalable solution either (we're facing around 5000 spokes in the next 2-3 years).
  2. Chopping the DMVPN solution up in lesser VPN-blocks. This will administratively be a nightmare.
  3. ?
  Will really appreciate if anyone have a input here. It's really hard finding anything about a LARGE scale phase3 design on the web. Everything I find seems to mix stuff from small-scale phase 2 and 3 - making it rather messy cooking reciept for a small breakfast while I need a 7 course perfect dinner
  When will Cisco come with an updated design guide btw?
  Thanks in advance!

  Thank you for your quick reply.
  Our ASRs (rp1) are acting as BGP RR while the farm routers are setup as RR clients.
  We haven't tried connecting spokes directly to the ASRs but we have seen the same symptoms on the 7613s (sup720) and the 7200-platform.
  Earlier the 7600 had the same role the ASRs have today. We were expecting that the ASRs should be doing "a better job" in terms of CPU load but we were wrong (NHRP generated around 10% more cpu load on the ASRs in comparison).
  We concluded that the ASRs have a less optimized OS (coding) being rather new and all. Further we're not all happy about the stability of the platform (clear ip nhrp or taking a shutdown on the tunnel in the current situation will crash the router. 15.1(2)S1 and 15.1(3)S0a adv ip services). Haven't made a TAC case of it yet but will (has to be a bug as I see it since the 7200/7600 is handling this just fine).
  Due to what I mentioned above I don't dare to debug the problem in production time and have to wait until the next scheduled maintenance window for some decent debug output (24. Oct).
  We've contacted Cisco AS for assistance since it's hard to find local consultants (Norway) with enough knowledge of such scenario.
  I just hope it's a config-issue and not a design issue, but we're willing to to whatever for this to scale to the thousands.

• Cisco 880G+7 3G connection issue

  Hi all  ,
  There is a problem with 3G all time on 880G router . It seem that i doing someting wrong or cisco modem is not working well 
  On few modems i cant get 3g data connection , and when that same SIM card i put in phone internet works , but on 880G router dont want.
  How to get this to work stable ?
  boot system flash flash:c880data-universalk9-mz.154-2.T1.bin
  chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
  interface Cellular0
   description WAN towards MTS
   ip address negotiated
   ip mtu 1452
   ip virtual-reassembly in
   encapsulation slip
   load-interval 60
   dialer in-band
   dialer idle-timeout 2147483
   dialer string hspa-R7
   dialer-group 1
   async mode interactive
  dialer-list 1 protocol ip permit
  line 3
   exec-timeout 0 0
   script dialer hspa-R7
   login
   modem InOut
   no exec
   transport input all
   transport output all
  cellular 0 gsm band wcdma-all-bands
  cellular 0 gsm profile create 1 gprswap chap mts 064
  cellular 0 gsm plmn select auto
  #sh cellular 0 network 
  Current Service Status = Normal, Service Error = None
  Current Service = Combined
  Packet Service = UMTS/WCDMA (Attached)
  Packet Session Status = Inactive    <-----
  Current Roaming Status = Home
  Network Selection Mode = Automatic
  Country = SRB, Network = MTS
  Mobile Country Code (MCC) = 220
  Mobile Network Code (MNC) = 3
  Location Area Code (LAC) = 40203
  Routing Area Code (RAC) = 1
  Cell ID = 35420
  Primary Scrambling Code = 236
  PLMN Selection = Automatic
  Registered PLMN =  , Abbreviated = 
  Service Provider = mt:s
  #sh cellular 0 connection 
  Data Transmitted = 0 bytes, Received = 0 bytes
  Profile 1, Packet Session Status = INACTIVE
          Inactivity Reason = Service option not subscribed
  Profile 2, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 3, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 4, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 5, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 6, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 7, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 8, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 9, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 10, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 11, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 12, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 13, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 14, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 15, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 16, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  #sh cellular 0 profile 
  Profile 1 = INACTIVE* **
  PDP Type = IPv4
  Access Point Name (APN) = gprswap
  Authentication = CHAP
  Username: mts
  Password: 064
  #sh cellular 0 hardware 
  Modem Firmware Version = T1_0_3_2AP R361 CNSZ
  Modem Firmware built = 04/15/11
  Hardware Version = 1.0
  International Mobile Subscriber Identity (IMSI) = 
  International Mobile Equipment Identity (IMEI) = 357115041460655
  Integrated Circuit Card ID (ICCID) = 89381030000075802506
  Mobile Subscriber International Subscriber
  IDentity Number (MSISDN) = 
  Factory Serial Number (FSN) = CC3022411121011
  Modem Status = Online
  Current Modem Temperature = 28 deg C, State = Normal
  PRI SKU ID = 9900198, SKU Rev. = 1.2
  #sh cellular 0 radio 
  Radio power mode = ON
  Current Band = WCDMA 2100, Channel Number = 10663
  Current RSSI(RSCP) = -91 dBm
  Band Selected = WCDMA All(800/850/900/1900/IMT 2000)
  Number of nearby cells = 1
  Cell 1
          Primary Scrambling Code = 0xEC
          RSCP = -90 dBm, ECIO = -11 dBm
  Other issue that i want ot check , after reload of router it seems like ip sla dont want to start 
  config is :
  ip sla 1
   icmp-echo 8.8.8.8
   frequency 20
  ip sla schedule 1 life forever start-time now
  track 1 ip route 8.8.8.8 255.255.255.255 reachability
  ip route 8.8.8.8 255.255.255.255 Cellular0
  I need this because after router reload , i need some packets to get cellular int up and so on ...
  Any idea?
  Please i need urent help 
  KR
  VZ

  Thx for document , i solved this .
  Still i have another issue with dmvpm because nat over 3g .
       9 212.200.65.244       172.29.3.1    UP 00:20:37    DN
       0 UNKNOWN              172.29.3.5  NHRP    never    IX
       0 UNKNOWN              172.29.3.8  NHRP    never    IX
       0 UNKNOWN              172.29.3.9  NHRP    never    IX
       0 212.200.65.244      172.29.3.13    UP 00:01:10    DN
                             172.29.3.21    UP 00:27:48    DN
       0 UNKNOWN             172.29.3.25  NHRP    never    IX
       0 UNKNOWN             172.29.3.30  NHRP    never    IX
       0 212.200.65.244      172.29.3.34    UP 00:15:10    DN
       1 212.200.65.243      172.29.3.26    UP 00:07:28    DN
  As you can see few sites use same (nated ) public ip , so some dmvpn tunnels dont works.
  Any solution for this ?

• DMVPN Issues - IPsec packets

  Hi All,
  I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
  The setup is in a lab environment so i can post up as much info as required but here are the important bits:
  I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
  A few snippets from the hub router config:
  crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
  and heres the config on the first spoke router:
  crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
  if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
  Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
  so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
  the following are outputs from the spoke router:
  RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea        N - NATed, L - Local, X - No Socket        # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10   Source addr: 11.11.11.1, Dest addr: MGRE  Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS:       172.17.100.1  EType:Spoke, NBMA Peers:1# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network----- --------------- --------------- ----- -------- ----- -----------------    1         1.1.1.1    172.17.100.1   IKE    never S       172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98]  Crypto Session Status: DOWN  fvrf: (none),   IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1        Active SAs: 0, origin: crypto map   Outbound SPI : 0x       0, transform :    Socket State: ClosedPending DMVPN Sessions:
  RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire  Type: static, Flags: used  NBMA address: 1.1.1.1
  RTR_SITE1#sh crypto ipsec sainterface: Tunnel0    Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1   protected vrf: (none)   local  ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)   current_peer 1.1.1.1 port 500     PERMIT, flags={origin_is_acl,}    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0    #pkts compressed: 0, #pkts decompressed: 0    #pkts not compressed: 0, #pkts compr. failed: 0    #pkts not decompressed: 0, #pkts decompress failed: 0    #send errors 46, #recv errors 0     local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0     current outbound spi: 0x0(0)     inbound esp sas:     inbound ah sas:     inbound pcp sas:     outbound esp sas:     outbound ah sas:     outbound pcp sas:
  All of these commands show up as blank when i run them on the hub router.
  Any help appreciated.
  Thanks

  Thanks for the help
  I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
  I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
  isakmp policy solved my issue, fixed the MTU as well.
  What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
  Thanks

• No NHRP support?

  Hi!
  I am in the process of building a template for DMVPN Spokes on the Cisco 828. During the initial phase, I noticed that 12.4(5c) in the k9osy6-mz suite lack support for NHRP.
  After a few searches I came up with "http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/prod_release_note09186a00801c46b5.html", which doesn't specifically speak about this, but mentions the use of NHRP on this platform, and some issues with NHRP covered in "CSCin95836".
  Was NHRP support removed in 12.4, or am I missing something? The router will not accept any "ip nhrp" command.
  I've tried this on 12.3(9) and 12.4(5c).
  Router(config)#int tunnel0
  Router(config-if)#ip nhrp ?
  % Unrecognized command
  Any input is apreciated!
  Best regards,
  Tord Forland - Norway

  Unfortunately I couldn't find any IOS for the Cisco 828 platform which supports the Next Hop Resolution Protocol (NHRP) feature.
  You can check the the support of the NHRP feature with the Cisco Feature navigator:
  http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

• New DVR Issues (First Run, Channel Switching, etc.)

  I've spent the last 30 minutes trying to find answers through the search with no luck, so sorry if I missed something.
  I recently switched to FIOS from RCN cable in New York.  I've gone through trying to setup my DVR and am running into issues and was hoping for some answers.
  1.  I setup two programs to record at 8PM, I was watching another channel at the time and only half paying attention.  Around 8:02 I noticed a message had popped up asking if I would like to switch channels to start recording.  I was expecting it to force it to switch like my old DVR, but in this case it didn't switch and I missed the first two minutes of one of the shows.  I typically leave my DVR on all day and just turn off the TV, this dual show handling will cause issues with that if I forget to turn off the DVR.  Is there a setting I can change that will force the DVR to choose one of the recording channels?
  2.  I setup all my recordings for "First Run" because I only want to see the new episodes.  One show I setup was The Daily Show on comedy central, which is shown weeknights at 11pm and repeated 3-4 times throughout the day.  My scheduled recordings is showing all these as planned recordings even though only the 11pm show is really "new".  Most of the shows I've setup are once a week so they aren't a problem, but this seems like it will quickly fill my DVR.  Any fixes?
  Thanks for the help.
  Solved!
  Go to Solution.

  I came from RCN about a year ago.  Fios is different in several ways, not all of them desirable.  Here are several ways to get--and fix--unwanted recordings from a series recording setup.
  Some general principles. 
  Saving changes.  When you originally create a series with options, or if you go back to edit the options for an existing series, You MUST save the Series Options changes.  Pretty much everywhere else in the user interface, when you change an option, the change takes effect immediately--but not in Series Options.  Look at the Series Options window.  Look at the far right side.  There is a vertical "Save" bar, which you must navigate to and click OK on to actually save your changes.  Exiting the Series Options window without having first saved your changes loses all your attempted changes--immediately.
  Default Series Options.  This is accessed  from [Menu]--DVR--Settings--Default Series Options.  This will bring up the series options that will automatically be applied to the creation of a NEW series. The options for every previously created series will not be affected by a subsequent modification of the Default Series Options.  You should set these options to the way you would like them to be for the majority of series recordings that you are likely to create.  Be sure to SAVE your changes.  This is what you will get when you select "Create Series Recording" from the Guide.  When creating a new series recording where you think that you may want options different from the default, select "Create Series with Options" instead.  Series Options can always be changed for any individual series set up later--but not for all series at once.
  Non-series recordings.  With Fios you have no directly available options for these.  With RCN and most other DVRs, you can change the start and end times for individual episodes, including individual episodes that are also in a series.  With Fios, your workarounds are to create a series with options for a single program, then delete the series later;  change the series options if the program is already in a series, then undo the changes you made to the series options later; or schedule recordings of the preceding and/or following shows as needed.
  And now, to the unwanted repeats. 
  First, make sure your series options for the specific series in question--and not just the series default options--include "First Run Only".  If not, fix that and SAVE.  Then check you results by viewing the current options using the Series Manager app under the DVR menu.
  Second, and most annoying, the Guide can have repeat programs on your channel tagged as "New".  It happens.  Set the series option "Air Time" to "Selected Time".  To make this work correctly, you must have set up the original series recording after selecting the program in the Guide at the exact time of a first run showing (11pm, in your case), and not on a repeat entry in the Guide.  Then, even it The Daily Show is tagged as New for repeat showings, these will be ignored. 
  Third, another channel may air reruns of the program in your series recording, and the first showing of a rerun episode on the other channel may be tagged as "New".  These can be ignored in your series if you set the series option "Channel" to "Selected Channel".  Related to this, if there is both an SD and HD channel broadcasting you series program, you will record them both if the series option "Duplicates" is set to "Yes".  However, when the Channel option is set to "Selected Channel", the Duplicates Option is always effectively "No", regardless of what shows up on the options screen.  
  As for you missing two minutes,  I have sereral instances in which two programs start recording at the same time.  To the best of my recollection, whenever the warning message has appeared, ignoring it has not caused a loss of recording time.  You might have an older software version.  Newest is v.1.8.  Look at Menu--Settings--System Info.  Or, I might not have noticed the loss of minutes.  I regularly see up to a minute of previous programming at the start of a recording, or a few missing seconds at the beginning or end of a recording.  There are a lot of possibilities for that, but the DVR clock being incorrect is not one of them.  With RCN, the DVR clocks occasionally drifted off by as much as a minute and a half.

• Pension issue Mid Month Leaving

  Dear All,
  As per rule sustem should deduct mid month joining/leaving/absences or transfer scenarios, the Pension/PF Basis will be correspondingly prorated. But our system is not doing this. In RT table i have found 3FC Pension Basis for Er c 01/2010                    0.00           6,500.00.
  Employee leaving date is 14.04.2010. system is picking pension amout as 541. Last year it was coming right.
  Please suggest.
  Ashwani

  Dear Jayanti,
  We required prorata basis pension in case of left employees and system is not doing this. This is the issue. As per our PF experts Pension amount should come on prorata basis for left employees in case they left mid of month.System is doing prorata basis last year but from this year it is deducting 541. I am giving two RT cases of different years.
  RT table for year 2010. DOL 26.04.2010
  /111 EPF Basis              01/2010                    0.00           8,750.00 
  /139 VPF Basis              01/2010                    0.00           8,750.00 
  /3F1 Ee PF contribution     01/2010                    0.00           1,050.00 
  /3F3 Er PF contribution     01/2010                    0.00             509.00 
  /3F5 Ee Mon PF contribution 01/2010                    0.00           1,050.00 
  /3F6 Ee Ann PF contribution 01/2010                    0.00          12,600.00 
  /3F9 PF adm chrgs * 1,00,00 01/2010                    0.00              96.25 
  /3FA PF basis for Ee contri 01/2010                    0.00           8,750.00 
  /3FB PF Basis for Er Contri 01/2010                    0.00           8,750.00 
  /3FJ VPF basis for Ee contr 01/2010                    0.00           8,750.00 
  /3FL PF Basis for Er Contri 01/2010                    0.00           6,500.00 
  /3F4 Er Pension contributio 01/2010                    0.00             541.00
  /3FC Pension Basis for Er c 01/2010                    0.00           6,500.00
  /3FB PF Basis for Er Contri 01/2010                    0.00           8,750.00
  /3FC Pension Basis for Er c 01/2010                    0.00           6,500.00
  /3FJ VPF basis for Ee contr 01/2010                    0.00           8,750.00
  /3FL PF Basis for Er Contri 01/2010                    0.00           6,500.00
  /3R3 Metro HRA Basis Amount 01/2010                    0.00           8,750.00
  1BAS Basic Salary           01/2010                    0.00           8,750.00
  RT table for year 2009. DOL 27.10.2009
                                                                                  /111 EPF Basis              07/2009                    0.00           9,016.13
  /139 VPF Basis              07/2009                    0.00           9,016.13
  /3F1 Ee PF contribution     07/2009                    0.00           1,082.00
  /3F3 Er PF contribution     07/2009                    0.00             628.00
  /3F5 Ee Mon PF contribution 07/2009                    0.00           1,082.00
  /3F6 Ee Ann PF contribution 07/2009                    0.00           8,822.00
  /3F9 PF adm chrgs * 1,00,00 07/2009                    0.00              99.18
  /3FA PF basis for Ee contri 07/2009                    0.00           9,016.00
  /3FB PF Basis for Er Contri 07/2009                    0.00           9,016.00
  /3FJ VPF basis for Ee contr 07/2009                    0.00           9,016.00
  /3FL PF Basis for Er Contri 07/2009                    0.00           5,452.00
  /3FB PF Basis for Er Contri 07/2009                    0.00           9,016.00 
  /3FC Pension Basis for Er c 07/2009                    0.00           5,452.00 
  /3FJ VPF basis for Ee contr 07/2009                    0.00           9,016.00 
  /3FL PF Basis for Er Contri 07/2009                    0.00           5,452.00 
  /3R4 Non-metro HRA Basis Am 07/2009                    0.00           9,016.13 
  1BAS Basic Salary           07/2009                    0.00           9,016.13 
  Now please suggest what to do. where is the problem  ? If have also checked EXIT_HINCALC0_002 but nothing written in it.
  With Regards
  Ashwani

• Open PO Analysis - BW report issue

  Hello Friends
  I constructed a query in BW in order to show Open Purchase Orders. We have custom DSO populated with standard
  datasource 2lis_02_itm (Purcahse Order Item). In this DSO we mapped the field ELIKZ to the infoobject 0COMP_DEL
  (Delivery completed).
  We loaded the data from ECC system for all POs and found the following issue for Stock Transport Purchase orders (DocType = UB).
  We have a PO with 4 line items. For line items 10 and 20, Goods issued, Goods received and both the flags "Delivery
  complete" and "Final delivery" checked. For line items 30 and 40, only delivery indicator note is issued for zero
  quantity and Delivery complete flag is checked (Final delivery flag is not checked) in ECC system. For this PO, the
  delivery completion indicator is not properly updated in the DSO for line items 30 and 40. The data looks like the
  following:
  DOC_NUM     DOC_ITEM       DOCTYPE     COMP_DEL
  650000001       10     UB        X
  650000001       20     UB        X
  650000001       30     UB
  650000001       40     UB      
  When we run the Open PO analysis report on BW side this PO is appearing in the report but the same is closed in ECC
  system.
  Any help is appreciated in this regard.
  Thanks and Regards
  sampath

  Hi Priya and Reddy
     Thanks for your response.
                       Yes the indicator is checked in EKPO table for items 30 and 40 and delta is running regularly for more than 1 year and no issues with other POs. This is happening only for few POs of type Stock Transport (UB).
                      I already checked the changes in ME23N and the Delivery completed indicator was changed and it reflected in EKPO table. Further, i checked the PSA records for this PO and i am getting the records with the Delivery completed flag but when i update from PSA to DSO the delivery completed indicator is not updating properly.
                     In PSA, for item 30 i have the following entries. Record number 42 is capturing the value X for ELIKZ but after that i am getting two more records 43 and 44 with process key 10 and without X for ELIKZ. I think this is causing the problem.
  Record No.    Doc.No.                    Item              Processkey         Rocancel     Elikz
      41               6500000001            30                    11                            X           ---    
      42               6500000001            30                    11                            ---           X
      43               6500000001            30                    10                            X           ---
      44               6500000001            30                    10                            ---         ---
  (Here --- means blank)        
  Thanks and Regards
  sampath

• HP LaserJet Enterprise 600 M602 driver issue

  Hello,
  I've got issue with 600-series printers. We use the latest UPD drivrer ver. 61.175.1.18849 and print from XenApp 6.5. The error occurs every time when users try to print jpg files from XenApp session. It only happens with 600 series printers and UPD.
  Also I've tried to assign native 600-series driver ver. 6.3.9600.16384 and it works good. But with that driver system says that it's color printer and it brokes our printing reports. These reports are very important for us. So we can't use printer and that driver as well.
  Printer installed on Windows Server 2012 R2. All clients are Windows 7 x64. XenApp Servers are Server 2008R2.
  Is it possible to get fixed UPD driver or correct native driver for Server 2012 R2?
  Regards,
  Anatoly

  I am sorry, but to get your issue more exposure I would suggest posting it in the commercial forums since this is a commercial printer. You can do this at Printers - LaserJet.
  Click on New Post.
  I hope this helps.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos Thumbs Up" on the right to say “Thanks” for helping!
  Gemini02
  I work on behalf of HP

• Windows 7 displays error message when exiting +cursor issue

  Two issues here. CS5 Phoshop on Wind 7 64 bit.
  Physical processor count: 8
  Processor speed: 3073 MHz
  Built-in memory: 12279 MB
  Free memory: 9577 MB
  Memory available to Photoshop: 10934 MB
  Memory used by Photoshop: 80 %
  Image tile size: 128K
  First issue is since the latest automatic Adobe update (why fix what isn't broken?) Every time I now exit Photoshop I get the message "Adobe QT Server has stoped working" and occasionally it happens when I exit bridge. Indesign is also behaving badly. I can no longer start a previous document from file manager without ID crashing out.
  The other is the cursors in Clone and erase lose their edge (become invisable) for no reason - well not quite. Noise Ninja crashed Photoshop when I tried to use it. I reinstalled it and all is well. The cursor issue seems to be intermittant but came back (for no reason) after I reinstalled NN. I can't seem to change the cursor, no matter what I do. The problem is now seriously affecting how I work. Almost enough to go back to Win XP which ran CS5 Photoshop flawlessly.
  Any help will be gratefully accepted.
  Doug

  function(){return A.apply(null,[this].concat($A(arguments)))}
  doug87510 wrote:
  The recent problem is the entire outline of the cursor (including the crosshair in the middle) was missing at any size of cursor. All I had was exactly what I'd get if I used a real spraygun.
  Well, that issue is simply a matter of hitting the Caps Lock key.  When Caps Lock is on, you'll see the cursor outline, and when it is off you'll see a crosshair.  That's a feature, not a bug.
  Glad to hear the 11.1 drivers are out.  I will download them and try them now myself.
  Regarding "Adobe QT" crashing...  QT brings to mind QuickTime, though that is Apple, not Adobe.  Do you have Apple QuickTime installed?
  Regarding memory usage, with 12 GB of installed RAM, you should be able to set Photoshop to use 90% or more in Edit - Preferences - Performance.
  -Noel