DMVPN issue

I'm having an issue with a couple of branch routers not playing ball with dmvpn. My hubs are Cisco 4k series routers and working for 90% of the other sites. With other 4k series routers as spokes the config works fine. But trying to get a 1900 or 1800 series spoke router working is a nightmare, the crypto and dmvpn config won't come up properly. Below is an example of the branch config WHEN THE TNUNEL WORKS (firstly I will show you the config that actually works on either the 1800 or 1900 series spoke router).

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set DMVPN_TSet esp-aes esp-sha-hmac 

crypto ipsec profile DMVPN

 set security-association lifetime seconds 120

 set transform-set DMVPN_TSet 

interface Tunnel0

 description Tunnel to dmvpnhub1

 bandwidth 8192

 ip address 172.31.220.5 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication xxxxxxx

 ip nhrp map multicast 204.75.81.65

 ip nhrp map 172.31.220.1 204.75.81.65

 ip nhrp network-id 1

 ip nhrp holdtime 600

 ip nhrp nhs 172.31.220.1

 ip tcp adjust-mss 1360

 qos pre-classify

 keepalive 10 3

 tunnel source Dialer1

 tunnel mode gre multipoint

 tunnel key 0

 tunnel protection ipsec profile DMVPN shared

 

ip route 204.75.81.65 255.255.255.255 Dialer1

 

Now, when I apply the following config to make the dmvpn use a front door vrf, the tunnel breaks and won't come up.

 

ip vrf dmvpnvrf

 rd 1:1

 

crypto keyring dmvpnkeyring vrf dmvpnvrf

  pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx

 

ip route vrf dmvpnvrf 0.0.0.0 0.0.0.0 di1

 

int di1

ip vrf forwarding dmvpnvrf

ip address negotiated

int tun0

tunnel vrf dmvpnvrf

int tun1

tunnel vrf dmvpnvrf

 

If I shut all interfaces down, clear the crypto and dmvpn sessions, then bring it all up, i get some debugs showing the crypto goes to QM_IDLE (indicating it works), and then goes down again. I will provide these debugs below. Please note that there are some NAT-T messages in the debug, but my router ain't using NAT so I don't know why I've getting NAT-T in the debugs.

06650r2#

06650r2#

06650r2#

Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:07:44.633 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Apr 16 07:07:44.633 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:07:44.633 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:46.689 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:46.689 GMT: ISAKMP:(0): sending packet to 195.143.92.34 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:46.689 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:48.076 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:48.076 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.076 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:48.112 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:48.112 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.112 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (N) NEW SA

Apr 16 07:07:48.120 GMT: ISAKMP: Created a peer struct for 213.39.51.226, peer port 500

Apr 16 07:07:48.120 GMT: ISAKMP: New peer created peer = 0x662FC558 peer_handle = 0x80000019

Apr 16 07:07:48.120 GMT: ISAKMP: Locking peer struct 0x662FC558, refcount 1 for crypto_isakmp_process_block

Apr 16 07:07:48.120 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:07:48.120 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 668F896C

Apr 16 07:07:48.120 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Apr 16 07:07:48.120 GMT: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

 

Apr 16 07:07:48.120 GMT: ISAKMP:(0): processing SA payload. message ID = 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unit

06650r2#y/DPD but major 69 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:07:48.124 GMT: ISAKMP:(0):found peer pre-shared key matching 213.39.51.226

Apr 16 07:07:48.124 GMT: ISAKMP:(0): local preshared key found

Apr 16 07:07:48.124 GMT: ISAKMP : Scanning profiles for xauth ...

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Apr 16 07:07:48.124 GMT: ISAKMP:      encryption AES-CBC

Apr 16 07:07:48.124 GMT: ISAKMP:      keylength of 256

Apr 16 07:07:48.124 GMT: ISAKMP:      hash SHA

Apr 16 07:07:48.124 GMT: ISAKMP:      default group 2

Apr 16 07:07:48.124 GMT: ISAKMP:      auth pre-share

Apr 16 07:07:48.124 GMT: ISAKMP:      life type in seconds

Apr 16 07:07:48.124 GMT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 

Apr 16 07:07:48.124 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:actual life: 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:life: 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Returning Actual lifetime: 86400

Apr 16 07:07:48.124 GMT: ISAKMP:(0)::Started lifetime timer: 86400.

 

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

 

Apr 16 07:07:48.128 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:07:48.128 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Apr 16 07:07:48.132 GMT: ISAKMP:(0):Old State =

06650r2# IKE_R_MM1  New State = IKE_R_MM2 

 

06650r2#

Apr 16 07:07:50.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:07:50.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:07:50.736 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:51.236 GMT: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:51.236 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:07:51.236 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:54.632 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:07:54.632 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

 

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 204.75.81.65)

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 204.75.81.65) 

Apr 16 07:07:54.632 GMT: ISAKMP: Unlocking peer struct 0x668EE114 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:54.632 GMT: ISAKMP: Deleting peer node by peer_reap for 204.75.81.65: 668EE114

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node 1202920501 error FALSE reason "IKE deleted"

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node -2119501275 error FALSE reason "IKE deleted"

Apr 16 07:07:54.632 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:54.632 GMT: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 

 

Apr 16 07:07:54.936 GMT: ISAKMP:(0): SA request profile is (NULL)

Apr 16 07:07:54.936 GMT: ISAKMP: Created a peer struct for 204.75.81.65, peer port 500

Apr 16 07:07:54.936 GMT: ISAKMP: New peer created peer = 0x668EE114 peer_handle = 0x8000001E

Apr 16 07:07:54.936 GMT: ISAKMP: Locking peer struct 0x668EE114, refcount 1 for isakmp_initiator

Apr 16 07:07:54.936 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:07:54.936 GMT: ISAKMP: set new node 0 to QM_IDLE      

Apr 16 07:07:54.936 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 665F5600

Apr 16 07:07:54.936 GMT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Apr 16 07:07:54.936 GMT: ISAKMP:(0):found peer pre-shared key matching 204.75.81.65

Apr 16 07:07:54.936 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-07 ID

06650r2#

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-03 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-02 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

 

Apr 16 07:07:54.940 GMT: ISAKMP:(0): beginning Main Mode exchange

Apr 16 07:07:54.940 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:56.688 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:56.688 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

 

Apr 16 07:07:56.688 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.143.92.34)

Apr 16 07:07:56.688 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.143.92.34) 

Apr 16 07:07:56.688 GMT: ISAKMP: Unlocking peer struct 0x661043E0 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:56.688 GMT: ISAKMP: Deleting peer node by peer_reap for 195.143.92.34: 661043E0

Apr 16 07:07:56.688 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

06650r2#

Apr 16 07:07:56.688 GMT: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA 

 

Apr 16 07:07:58.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:58.076 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

 

Apr 16 07:07:58.076 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.81.160.82)

Apr 16 07:07:58.076 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.81.160.82) 

Apr 16 07:07:58.076 GMT: ISAKMP: Unlocking peer struct 0x66577DF0 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:58.076 GMT: ISAKMP: Deleting peer node by peer_reap for 195.81.160.82: 66577DF0

Apr 16 07:07:58.076 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:58.076 GMT: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA 

 

Apr 16 07:07:58.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:58.112 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

 

Apr 16 07:07:58.112 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 213.39.51.226)

Apr 16 07:07:58.112 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 213.39.51.226) 

Apr 16 07:07:58.112 GMT: ISAKMP: Unlocking peer struct 0x6661AD08 for isadb_mark_sa_deleted(), count 0

06650r2#

Apr 16 07:07:58.112 GMT: ISAKMP: Deleting peer node by peer_reap for 213.39.51.226: 6661AD08

Apr 16 07:07:58.112 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:58.112 GMT: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA 

 

Apr 16 07:07:58.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:07:58.120 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:07:58.120 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

06650r2#

Apr 16 07:07:58.620 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:58.620 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:58.620 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:00.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:00.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:00.740 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:01.240 GMT: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:01.240 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:08:01.240 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:08:04.939 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Apr 16 07:08:04.939 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:08:04.939 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:08.075 GMT: ISAKMP (0): received packet from 195.81.160.82 dport 500 sport 500 dmvpnvrf (N) NEW SA

Apr 16 07:08:08.075 GMT: ISAKMP: Created a peer struct for 195.81.160.82, peer port 500

Apr 16 07:08:08.075 GMT: ISAKMP: New peer created peer = 0x661043E0 peer_handle = 0x80000013

Apr 16 07:08:08.075 GMT: ISAKMP: Locking peer struct 0x661043E0, refcount 1 for crypto_isakmp_process_block

Apr 16 07:08:08.075 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:08:08.075 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6501348C

Apr 16 07:08:08.075 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Apr 16 07:08:08.075 GMT: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

 

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing SA payload. message ID = 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:08:08.079 GMT: ISAKMP:(0):found peer pre-shared key matching 195.81.160.82

Apr 16 07:08:08.079 GMT: ISAKMP:(0): local preshared key found

Apr 16 07:08:08.079 GMT: ISAKMP : Scanning profiles for xauth ...

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Apr 16 07:08:08.079 GMT: ISAKMP:      encryption AES-CBC

Apr 16 07:08:08.079 GMT: ISAKMP:      keylength of 256

Apr 16 07:08:08.079 GMT: ISAKMP:      hash SHA

Apr 16 07:08:08.079 GMT: ISAKMP:      default group 2

Apr 16 07:08:08.079 GMT: ISAKMP:      auth pre-share

Apr 16 07:08:08.079 GMT: ISAKMP:      life type in seconds

Apr 16 07:08:08.079 GMT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 

Apr 16 07:08:08.079 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:actual life: 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:life: 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Returning Actual li

06650r2#fetime: 86400

Apr 16 07:08:08.083 GMT: ISAKMP:(0)::Started lifetime timer: 86400.

 

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

 

Apr 16 07:08:08.083 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:08:08.083 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:08:08.087 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Apr 16 07:08:08.087 GMT: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

 

Apr 16 07:08:08.123 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:08.123 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:08.123 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

06650r2#

Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:08.623 GMT: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:08.623 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:08:08.623 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:10.739 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:10.739 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:10.739 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:11.239 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:11.239 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:08:11.239 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

 

Comments

  • You need to also use an ISAKMP profile and use "match identity" command and specify the FVRF at the end, afterwards call the ISKAMP profile within the IPsec profile.

    Also, you sure you want your Phase2 keys being renegotiated each 2 minutes: "set security-association lifetime seconds 120". This is insane overhead from processing point of view and may make the network unstable at some point.

  • Can you explain why? The same config works on other 4k series spokes, so I'm confused at why it's only needed on older hardware.

  • Hi,

       With only FVRF, so no IVRF, it should work with your config, as you said. You may be hitting a bug, thus take one of the non-working spokes and upgrade it to a stable M code, if still does not work, try using the ISAKMP profile (attach the keyring to the ISAKMP profile) and bind the ISAKMP profile to the IPsec profile.

    Regards,

    Cristian.

  • Ok, that was my next plan anyway (regarding upgrading IOS). I downloaded a new version of code which I'm allowed to put into the device in an hour. Hope it's just some dpd version mismatch or something that's stopping it working.

     

    With regards to the isakmp profile, is there any specifics I need to add in? I'm guessing it's just 

    crypto isakmp profile test

       match identity address 0.0.0.0 

    crypto ipsec profile DMVPN

        set isakmp-profile test

  • DPD cannot break IKE negotiation.

    Sent from my iPhone

    On Apr 16, 2015, at 14:03, sg4rb0 <[email protected]> wrote:

    Ok, that was my next plan anyway. I downloaded a new version of code which I'm allowed to put into the device in an hour. Hope it's just some dpd version mismatch or something that's stopping it working.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi, I tried 3-4 different IOS versions now. I get the wierdest issue, I can ping over an IKE state DMVPN.  Have a look, on #sh dmvpn, it just stays in IKE 

     

    06650r2#sh dmv                 

    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

            N - NATed, L - Local, X - No Socket

            # Ent --> Number of NHRP entries with same NBMA peer

            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

            UpDn Time --> Up or Down Time for a Tunnel

    ==========================================================================

     

    Interface: Tunnel0, IPv4 NHRP Details 

    Type:Spoke, NHRP Peers:1, 

     

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

     ----- --------------- --------------- ----- -------- -----

         1    204.75.81.65    172.31.220.1   IKE 00:07:48     S

     

    Interface: Tunnel1, IPv4 NHRP Details 

    Type:Spoke, NHRP Peers:1, 

     

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

     ----- --------------- --------------- ----- -------- -----

         1    204.75.81.66    172.31.221.1   IKE 00:07:48     S

     

    //Here I ping an IP address within the hub side of the network, and check if i can pass traffic over this "IKE" state dmvpn.

    06650r2#ping 172.31.18.10

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 172.31.18.10, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 36/37/40 ms

    06650r2#trace 172.31.18.10

    Type escape sequence to abort.

    Tracing the route to 172.31.18.10

    VRF info: (vrf in name/id, vrf out name/id)

      1 172.31.220.1 [AS 65201] 36 msec 40 msec 36 msec

      2 172.31.34.6 [AS 65201] 36 msec 40 msec 36 msec

      3 172.31.34.1 [AS 65201] 36 msec *  36 msec

     

    //so I could pass traffic over it, and also I see the eigrp neighbor up, see below.

    06650r2#sh ip eigrp ne

    EIGRP-IPv4 Neighbors for AS(200)

    H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                                (sec)         (ms)       Cnt Num

    1   172.31.221.1            Tu1                2 00:08:10   55   330  0  29972

    0   172.31.220.1            Tu0                2 00:08:11   46   276  0  35528

     

    /the crypto also looks good.

    06650r2#sh cry isa sa

    IPv4 Crypto ISAKMP SA

    dst             src             state          conn-id status

    204.75.81.65    213.123.211.12  QM_IDLE           1015 ACTIVE

    213.39.51.226   213.123.211.12  QM_IDLE           1017 ACTIVE

    204.75.81.66    213.123.211.12  QM_IDLE           1016 ACTIVE

     

     

     

    FYI i have added the isakmp profile like you asked, using the code below

     

    crypto isakmp profile test

       keyring dmvpnkeyring

       match identity address 0.0.0.0 

    crypto ipsec profile DMVPN

     set isakmp-profile test

     

  • That may just be a cosmetic bug, use "show crypto isakmp sa, show crypto ipsec sa, show crypto session detail" to see the real states of IPsec phases, and also that ISAKMP profile has been matched, also the FVRF/IVRF.

    If you use a FVRF named "TEST" the "match identity" statement from the ISAKMP profile needs to specify it, like "match identity address 0.0.0.0 TEST".

     

  • Hi,

    Is it possible to use Policy based routing with DMVPN? I am
    working on a scenario to route specific subnets through internet on a spoke and
    the rest of traffic through the tunnel. I have a single subnet for user traffic
    though. I know PBR works with source routing, but I applied PBR with access
    list containing the source and destination subnets and still no luck. I have
    static routes in place for those specific subnets pointing to my next hop IP
    and in the route map I am using  set ip default next-hop and still
    luck. 

     

    By the way I am using IPsec over GRE in my DMVPN implementation.
    Is there a way that I could achieve my goal? Thanks

  • <!DOCTYPE html>




    PBR must be applied inbound.

     

    Do your DMVPN run over the internet and you want to the traffic coming from the internal network be routed to the DMVPN or to the internet depending on the policy?  

     

    If that is the case, you must apply the PBR on the incoming interface not no the tunnel.

     

    --

      Paulo Roque


     

     

    Em Seg 13 jul. 2015, às 13:36, farshad escreveu:

    Hi,

    Is it possible to use Policy based routing with DMVPN? I am
    working on a scenario to route specific subnets through internet on a spoke and
    the rest of traffic through the tunnel. I have a single subnet for user traffic
    though. I know PBR works with source routing, but I applied PBR with access
    list containing the source and destination subnets and still no luck. I have
    static routes in place for those specific subnets pointing to my next hop IP
    and in the route map I am using  set ip default next-hop and still
    luck. 


    By the way I am using IPsec over GRE in my DMVPN implementation.
    Is there a way that I could achieve my goal? Thanks

     

     

     



    INE - The Industry Leader in CCIE Preparation


     


    Subscription information may be found at:


     


  • Thanks Paulo.

    The PBR is applied to the SVI interface only which is the gw for the internal network. I can see the hits on the access list, but when I do the trace route, I just see the gateway IP and drops after that.

     

Sign In or Register to comment.