On the spoke routers' tunnel interface add: ip nhrp multicast 10.1.1.1
On Fri, Jan 21, 2011 at 8:29 PM, kamran shakil <[email protected]>wrote: > Dears, > I am stuck with the troubleshooting , need help on this one ~ > > I practiced a small setup of 3 routers using same subnet to connect > eachother via a L2 switch. I did this lab in GNS3 with 12.4(15)T IOS. If i > remove crypto commands and tunnel protection , everything seems ok and work > fine......., BUT once the crypto commands and tunnel protection is added , > it stopped working and no routes were showing in the table!!! > > I was trying Phase 2 configuration of DMVPN ~ > > > Here is the config: > ============== > crypto isakmp policy 10 > authentication pre-share > group 2 > crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile DMVPN > set transform-set TSET > ! > ! > > interface Loopback0 > ip address 192.168.1.1 255.255.255.0 > ! > interface Tunnel0 > ip address 172.16.123.1 255.255.255.0 > no ip redirects > ip mtu 1400 > no ip next-hop-self eigrp 123 > ip nhrp authentication cisco > ip nhrp map multicast dynamic > ip nhrp network-id 123 > ip nhrp cache non-authoritative > ip nhrp redirect > no ip split-horizon eigrp 123 > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel key 123 > tunnel protection ipsec profile DMVPN > ! > interface FastEthernet0/0 > ip address 10.1.1.1 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > no ip address > shutdown > duplex auto > speed auto > ! > router eigrp 123 > network 172.16.0.0 > network 192.168.1.0 > no auto-summary > ! > router ospf 123 > log-adjacency-changes > network 10.1.1.1 0.0.0.0 area 0 > ! > ! > ! > > > OUTPUTS:- > =========== > > R1#sh ip ro > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2 > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is not set > > 172.16.0.0/24 is subnetted, 1 subnets > C 172.16.123.0 is directly connected, Tunnel0 > 10.0.0.0/24 is subnetted, 1 subnets > C 10.1.1.0 is directly connected, FastEthernet0/0 > C 192.168.1.0/24 is directly connected, Loopback0 > R1# > > > > R1#SHOW IP NHRP > 172.16.123.2/32 via 172.16.123.2, Tunnel0 created 00:05:57, expire > 00:05:58 > Type: dynamic, Flags: unique registered used > NBMA address: 10.1.1.2 > 172.16.123.3/32 via 172.16.123.3, Tunnel0 created 00:05:59, expire > 00:05:45 > Type: dynamic, Flags: unique registered used > NBMA address: 10.1.1.3 > R1# > > > > R1#Show IP eigrp interfaces > > IP-EIGRP interfaces for process 123 > Xmit Queue Mean Pacing Time Multicast > Pending > Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer > Routes > Lo0 0 0/0 0 0/1 0 > 0 > Tu0 0 0/0 0 71/2524 50 > 0 > R1# > > > > R1#SH IP INT BRIEF > Interface IP-Address OK? Method Status > Protocol > FastEthernet0/0 10.1.1.1 YES manual up > up > FastEthernet0/1 unassigned YES unset administratively down > down > Loopback0 192.168.1.1 YES manual up > up > Tunnel0 172.16.123.1 YES manual up > up > R1# > > > > > R1#sh crypto ipsec profile DMVPN > IPSEC profile DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > TSET, > } > > > > crypto isakmp policy 10 > authentication pre-share > group 2 > crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile DMVPN > set transform-set TSET > ! > ! > interface Loopback0 > ip address 192.168.2.2 255.255.255.0 > ! > interface Tunnel0 > ip address 172.16.123.2 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication cisco > ip nhrp map 172.16.123.1 10.1.1.1 > ip nhrp network-id 123 > ip nhrp holdtime 360 > ip nhrp nhs 172.16.123.1 > ip nhrp cache non-authoritative > ip nhrp shortcut > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel key 123 > tunnel protection ipsec profile DMVPN > ! > interface FastEthernet0/0 > ip address 10.1.1.2 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > no ip address > shutdown > duplex auto > speed auto > ! > router eigrp 123 > network 172.16.0.0 > network 192.168.2.0 > no auto-summary > ! > router ospf 123 > log-adjacency-changes > network 10.1.1.2 0.0.0.0 area 0 > ! > ! > > > OUTPUTS: > ======== > R2#sh ip int brief > Interface IP-Address OK? Method Status > Protocol > FastEthernet0/0 10.1.1.2 YES manual up > up > FastEthernet0/1 unassigned YES unset administratively down > down > Loopback0 192.168.2.2 YES manual up > up > Tunnel0 172.16.123.2 YES manual up > up > > > > R2#sh ip ro > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2 > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is not set > > 172.16.0.0/24 is subnetted, 1 subnets > C 172.16.123.0 is directly connected, Tunnel0 > 10.0.0.0/24 is subnetted, 1 subnets > C 10.1.1.0 is directly connected, FastEthernet0/0 > C 192.168.2.0/24 is directly connected, Loopback0 > R2# > > > > R2#sh ip eigrp neighbors > IP-EIGRP neighbors for process 123 > H Address Interface Hold Uptime SRTT RTO Q > Seq > (sec) (ms) Cnt > Num > 0 172.16.123.1 Tu0 13 00:00:57 1 5000 2 0 > R2# > > > > > R2#sh ip eigrp interfaces > IP-EIGRP interfaces for process 123 > > Xmit Queue Mean Pacing Time Multicast > Pending > Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer > Routes > Lo0 0 0/0 0 0/1 0 > 0 > Tu0 1 0/0 0 71/2524 50 > 0 > R2# > > R2#sh ip nhrp > 172.16.123.1/32 via 172.16.123.1, Tunnel0 created 00:11:12, never expire > Type: static, Flags: used > NBMA address: 10.1.1.1 > R2# > > > R2#sh cry ipsec profile DMVPN > IPSEC profile DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > TSET, > } > > R2# > > > R3 CONFIG: > ========== > > crypto isakmp policy 10 > authentication pre-share > group 2 > crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile DMVPN > set transform-set TSET > ! > ! > interface Loopback0 > ip address 192.168.3.3 255.255.255.0 > ! > interface Tunnel0 > ip address 172.16.123.3 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication cisco > ip nhrp map 172.16.123.1 10.1.1.1 > ip nhrp network-id 123 > ip nhrp holdtime 360 > ip nhrp nhs 172.16.123.1 > ip nhrp cache non-authoritative > ip nhrp shortcut > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel key 123 > tunnel protection ipsec profile DMVPN > ! > interface FastEthernet0/0 > ip address 10.1.1.3 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > no ip address > shutdown > duplex auto > speed auto > ! > router eigrp 123 > network 172.16.0.0 > network 192.168.3.0 > no auto-summary > ! > router ospf 1 > log-adjacency-changes > ! > router ospf 123 > log-adjacency-changes > network 10.1.1.3 0.0.0.0 area 0 > ! > ! > ! > > > OUTPUTS: > ================ > > R3#sh ip ro > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2 > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is not set > > 172.16.0.0/24 is subnetted, 1 subnets > C 172.16.123.0 is directly connected, Tunnel0 > 10.0.0.0/24 is subnetted, 1 subnets > C 10.1.1.0 is directly connected, FastEthernet0/0 > C 192.168.3.0/24 is directly connected, Loopback0 > R3# > > > > > R3#SH IP EIgrp interfaces > IP-EIGRP interfaces for process 123 > > Xmit Queue Mean Pacing Time Multicast > Pending > Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer > Routes > Lo0 0 0/0 0 0/1 0 > 0 > Tu0 1 0/0 0 71/2524 50 > 0 > R3# > > > R3#sh ip nhrp > 172.16.123.1/32 via 172.16.123.1, Tunnel0 created 00:21:04, never expire > Type: static, Flags: used > NBMA address: 10.1.1.1 > > > > R3#sh crypto ipsec pro DMVPN > IPSEC profile DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > TSET, > } > > R3# > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
