Hi, The other spoke should send NHRp Reply via spoke-to-Spoke tunnel. It seems the routers have problem with setting up IPSec tunnel. Check ISAKMP Phase 1 and PSK.
You can disable tunnel protection for verification too. Regards, Piotr 2011/11/24 waleed ' <[email protected]> > I have configured 3 routers for DMVPN phase 3 , this tunnel > configuration on the hub : > interface Tunnel0 > ip address 172.16.245.2 255.255.255.0 > ip mtu 1400 > ip nhrp authentication cisco123 > ip nhrp map multicast dynamic > ip nhrp network-id 123 > ip nhrp cache non-authoritative > ip nhrp shortcut > ip nhrp redirect > no ip split-horizon eigrp 1 > no ip split-horizon > tunnel source Serial1/0 > tunnel mode gre multipoint > tunnel key 123 > tunnel protection ipsec profile DMVPN_PROFILE > end > > and on the tow spoke : > R4: > interface Tunnel0 > ip address 172.16.245.4 255.255.255.0 > ip mtu 1400 > ip nhrp authentication cisco123 > ip nhrp map 172.16.245.2 10.1.245.2 > ip nhrp map multicast 10.1.245.2 > ip nhrp network-id 123 > ip nhrp nhs 172.16.245.2 > ip nhrp cache non-authoritative > ip nhrp shortcut > ip nhrp redirect > tunnel source Serial1/0 > tunnel mode gre multipoint > tunnel key 123 > tunnel protection ipsec profile DMVPN_PROFILE > end > > R5: > interface Tunnel0 > ip address 172.16.245.5 255.255.255.0 > ip mtu 1400 > ip nhrp authentication cisco123 > ip nhrp map 172.16.245.2 10.1.245.2 > ip nhrp map multicast 10.1.245.2 > ip nhrp network-id 123 > ip nhrp nhs 172.16.245.2 > ip nhrp cache non-authoritative > ip nhrp shortcut > ip nhrp redirect > tunnel source Serial1/0 > tunnel mode gre multipoint > tunnel key 123 > tunnel protection ipsec profile DMVPN_PROFILE > end > > > and I run eigrp between the all , and the spookes routing table show > entries for loopback's of other spokes and I can ping that loopbacks , but > my problem is when the spoke to spoke tunnel not working and when I check > NHRP table on spoke > > R5#show ip nhrp > 172.16.245.2/32 via 172.16.245.2, Tunnel0 created 09:35:56, never expire > Type: static, Flags: nat used > NBMA address: 10.1.245.2 > 172.16.245.4/32 via 172.16.245.4, Tunnel0 created 00:58:21, expire > 01:13:32 > Type: dynamic, Flags: router nat implicit > NBMA address: 10.1.245.4 > (no-socket) > *192.168.4.4/32, Tunnel0 created 00:00:06, expire 00:02:58* > * Type: incomplete, Flags: negative* > * Cache hits: 2* > * > * > * > * > the loopback appear as incomplete , and when I make debug for NHRP I find > that the router send nhrp request to the other spoke but other spoke not > replaying > > R5# > *Nov 24 10:36:23.394: NHRP: Send Resolution Request via Tunnel0 vrf 0, > packet size: 88 > *Nov 24 10:36:23.398: src: 172.16.245.5, dst: 192.168.4.4 > *Nov 24 10:36:23.398: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 > *Nov 24 10:36:23.398: shtl: 4(NSAP), sstl: 0(NSAP) > *Nov 24 10:36:23.398: (M) flags: "router auth src-stable nat ", reqid: 29 > *Nov 24 10:36:23.402: src NBMA: 10.1.245.5 > *Nov 24 10:36:23.402: src protocol: 172.16.245.5, dst protocol: > 192.168.4.4 > *Nov 24 10:36:23.402: (C-1) code: no error(0) > *Nov 24 10:36:23.402: prefix: 0, mtu: 1514, hd_time: 7200 > R5# > *Nov 24 10:36:23.406: addr_len: 0(NSAP), subaddr_len: 0(NSAP), > proto_len: 0, pref: 0 > R5# > *Nov 24 10:36:54.370: NHRP: Send Resolution Request via Tunnel0 vrf 0, > packet size: 88 > *Nov 24 10:36:54.374: src: 172.16.245.5, dst: 192.168.4.4 > *Nov 24 10:36:54.374: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 > *Nov 24 10:36:54.374: shtl: 4(NSAP), sstl: 0(NSAP) > *Nov 24 10:36:54.374: (M) flags: "router auth src-stable nat ", reqid: 29 > *Nov 24 10:36:54.378: src NBMA: 10.1.245.5 > *Nov 24 10:36:54.378: src protocol: 172.16.245.5, dst protocol: > 192.168.4.4 > *Nov 24 10:36:54.378: (C-1) code: no error(0) > *Nov 24 10:36:54.378: prefix: 0, mtu: 1514, hd_time: 7200 > R5# > > > any one se like this before ? > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
