Spoke 1 R4
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnetsC 172.16.245.0 is directly
connected, Tunnel0C 192.168.4.0/24 is directly connected, Loopback0D
192.168.5.0/24 [90/310172416] via 172.16.245.2, 00:38:28, Tunnel0
10.0.0.0/24 is subnetted, 1 subnetsC 10.1.245.0 is directly connected,
Serial1/0D 192.168.2.0/24 [90/297372416] via 172.16.245.2, 00:38:28, Tunnel0
Spoke 2 R5
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnetsC 172.16.245.0 is directly
connected, Tunnel0D 192.168.4.0/24 [90/310172416] via 172.16.245.2,
00:39:01, Tunnel0C 192.168.5.0/24 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnetsC 10.1.245.0 is directly connected,
Serial1/0D 192.168.2.0/24 [90/297372416] via 172.16.245.2, 00:40:42, Tunnel0
From: [email protected]
Date: Thu, 24 Nov 2011 14:58:40 +0100
Subject: Re: [OSL | CCIE_Security] DMVPN Phase 3
To: [email protected]
CC: [email protected]
Please paste sho ip route from the spokes.
2011/11/24 waleed ' <[email protected]>
I have disabled the protection and try it and it is same
From: [email protected]
Date: Thu, 24 Nov 2011 13:33:52 +0100
Subject: Re: [OSL | CCIE_Security] DMVPN Phase 3
To: [email protected]
CC: [email protected]
Hi,
The other spoke should send NHRp Reply via spoke-to-Spoke tunnel. It seems the
routers have problem with setting up IPSec tunnel. Check ISAKMP Phase 1 and PSK.
You can disable tunnel protection for verification too.
Regards,
Piotr
2011/11/24 waleed ' <[email protected]>
I have configured 3 routers for DMVPN phase 3 , this tunnel configuration on
the hub : interface Tunnel0 ip address 172.16.245.2 255.255.255.0 ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map multicast dynamic ip nhrp network-id 123 ip nhrp cache
non-authoritative ip nhrp shortcut ip nhrp redirect no ip split-horizon eigrp 1
no ip split-horizon
tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 123 tunnel
protection ipsec profile DMVPN_PROFILEend
and on the tow spoke :
R4:interface Tunnel0 ip address 172.16.245.4 255.255.255.0 ip mtu 1400 ip nhrp
authentication cisco123 ip nhrp map 172.16.245.2 10.1.245.2 ip nhrp map
multicast 10.1.245.2
ip nhrp network-id 123 ip nhrp nhs 172.16.245.2 ip nhrp cache
non-authoritative ip nhrp shortcut ip nhrp redirect tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123 tunnel protection ipsec profile DMVPN_PROFILEend
R5:interface Tunnel0 ip address 172.16.245.5 255.255.255.0 ip mtu 1400
ip nhrp authentication cisco123 ip nhrp map 172.16.245.2 10.1.245.2 ip nhrp
map multicast 10.1.245.2 ip nhrp network-id 123 ip nhrp nhs 172.16.245.2 ip
nhrp cache non-authoritative
ip nhrp shortcut ip nhrp redirect tunnel source Serial1/0 tunnel mode gre
multipoint tunnel key 123 tunnel protection ipsec profile DMVPN_PROFILEend
and I run eigrp between the all , and the spookes routing table show entries
for loopback's of other spokes and I can ping that loopbacks , but my problem
is when the spoke to spoke tunnel not working and when I check NHRP table on
spoke
R5#show ip nhrp172.16.245.2/32 via 172.16.245.2, Tunnel0 created 09:35:56,
never expire Type: static, Flags: nat used
NBMA address: 10.1.245.2172.16.245.4/32 via 172.16.245.4, Tunnel0 created
00:58:21, expire 01:13:32 Type: dynamic, Flags: router nat implicit
NBMA address: 10.1.245.4 (no-socket)192.168.4.4/32, Tunnel0 created
00:00:06, expire 00:02:58 Type: incomplete, Flags: negative
Cache hits: 2
the loopback appear as incomplete , and when I make debug for NHRP I find that
the router send nhrp request to the other spoke but other spoke not replaying
R5#*Nov 24 10:36:23.394: NHRP: Send Resolution Request via Tunnel0 vrf 0,
packet size: 88*Nov 24 10:36:23.398: src: 172.16.245.5, dst: 192.168.4.4*Nov
24 10:36:23.398: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Nov 24 10:36:23.398: shtl: 4(NSAP), sstl: 0(NSAP)*Nov 24 10:36:23.398:
(M) flags: "router auth src-stable nat ", reqid: 29*Nov 24 10:36:23.402:
src NBMA: 10.1.245.5
*Nov 24 10:36:23.402: src protocol: 172.16.245.5, dst protocol:
192.168.4.4*Nov 24 10:36:23.402: (C-1) code: no error(0)*Nov 24 10:36:23.402:
prefix: 0, mtu: 1514, hd_time: 7200
R5#*Nov 24 10:36:23.406: addr_len: 0(NSAP), subaddr_len: 0(NSAP),
proto_len: 0, pref: 0R5#*Nov 24 10:36:54.370: NHRP: Send Resolution Request via
Tunnel0 vrf 0, packet size: 88
*Nov 24 10:36:54.374: src: 172.16.245.5, dst: 192.168.4.4*Nov 24 10:36:54.374:
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1*Nov 24 10:36:54.374:
shtl: 4(NSAP), sstl: 0(NSAP)
*Nov 24 10:36:54.374: (M) flags: "router auth src-stable nat ", reqid: 29*Nov
24 10:36:54.378: src NBMA: 10.1.245.5*Nov 24 10:36:54.378: src
protocol: 172.16.245.5, dst protocol: 192.168.4.4
*Nov 24 10:36:54.378: (C-1) code: no error(0)*Nov 24 10:36:54.378:
prefix: 0, mtu: 1514, hd_time: 7200R5#
any one se like this before ?
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
