I have disabled the protection and try it and it is same From: [email protected] Date: Thu, 24 Nov 2011 13:33:52 +0100 Subject: Re: [OSL | CCIE_Security] DMVPN Phase 3 To: [email protected] CC: [email protected]
Hi, The other spoke should send NHRp Reply via spoke-to-Spoke tunnel. It seems the routers have problem with setting up IPSec tunnel. Check ISAKMP Phase 1 and PSK. You can disable tunnel protection for verification too. Regards, Piotr 2011/11/24 waleed ' <[email protected]> I have configured 3 routers for DMVPN phase 3 , this tunnel configuration on the hub : interface Tunnel0 ip address 172.16.245.2 255.255.255.0 ip mtu 1400 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 123 ip nhrp cache non-authoritative ip nhrp shortcut ip nhrp redirect no ip split-horizon eigrp 1 no ip split-horizon tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN_PROFILEend and on the tow spoke : R4:interface Tunnel0 ip address 172.16.245.4 255.255.255.0 ip mtu 1400 ip nhrp authentication cisco123 ip nhrp map 172.16.245.2 10.1.245.2 ip nhrp map multicast 10.1.245.2 ip nhrp network-id 123 ip nhrp nhs 172.16.245.2 ip nhrp cache non-authoritative ip nhrp shortcut ip nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN_PROFILEend R5:interface Tunnel0 ip address 172.16.245.5 255.255.255.0 ip mtu 1400 ip nhrp authentication cisco123 ip nhrp map 172.16.245.2 10.1.245.2 ip nhrp map multicast 10.1.245.2 ip nhrp network-id 123 ip nhrp nhs 172.16.245.2 ip nhrp cache non-authoritative ip nhrp shortcut ip nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN_PROFILEend and I run eigrp between the all , and the spookes routing table show entries for loopback's of other spokes and I can ping that loopbacks , but my problem is when the spoke to spoke tunnel not working and when I check NHRP table on spoke R5#show ip nhrp172.16.245.2/32 via 172.16.245.2, Tunnel0 created 09:35:56, never expire Type: static, Flags: nat used NBMA address: 10.1.245.2172.16.245.4/32 via 172.16.245.4, Tunnel0 created 00:58:21, expire 01:13:32 Type: dynamic, Flags: router nat implicit NBMA address: 10.1.245.4 (no-socket)192.168.4.4/32, Tunnel0 created 00:00:06, expire 00:02:58 Type: incomplete, Flags: negative Cache hits: 2 the loopback appear as incomplete , and when I make debug for NHRP I find that the router send nhrp request to the other spoke but other spoke not replaying R5#*Nov 24 10:36:23.394: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88*Nov 24 10:36:23.398: src: 172.16.245.5, dst: 192.168.4.4*Nov 24 10:36:23.398: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 *Nov 24 10:36:23.398: shtl: 4(NSAP), sstl: 0(NSAP)*Nov 24 10:36:23.398: (M) flags: "router auth src-stable nat ", reqid: 29*Nov 24 10:36:23.402: src NBMA: 10.1.245.5 *Nov 24 10:36:23.402: src protocol: 172.16.245.5, dst protocol: 192.168.4.4*Nov 24 10:36:23.402: (C-1) code: no error(0)*Nov 24 10:36:23.402: prefix: 0, mtu: 1514, hd_time: 7200 R5#*Nov 24 10:36:23.406: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0R5#*Nov 24 10:36:54.370: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 88 *Nov 24 10:36:54.374: src: 172.16.245.5, dst: 192.168.4.4*Nov 24 10:36:54.374: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1*Nov 24 10:36:54.374: shtl: 4(NSAP), sstl: 0(NSAP) *Nov 24 10:36:54.374: (M) flags: "router auth src-stable nat ", reqid: 29*Nov 24 10:36:54.378: src NBMA: 10.1.245.5*Nov 24 10:36:54.378: src protocol: 172.16.245.5, dst protocol: 192.168.4.4 *Nov 24 10:36:54.378: (C-1) code: no error(0)*Nov 24 10:36:54.378: prefix: 0, mtu: 1514, hd_time: 7200R5# any one se like this before ? _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
