DMVPN issue
I'm having an issue with a couple of branch routers not playing ball with dmvpn. My hubs are Cisco 4k series routers and working for 90% of the other sites. With other 4k series routers as spokes the config works fine. But trying to get a 1900 or 1800 series spoke router working is a nightmare, the crypto and dmvpn config won't come up properly. Below is an example of the branch config WHEN THE TNUNEL WORKS (firstly I will show you the config that actually works on either the 1800 or 1900 series spoke router).
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set DMVPN_TSet esp-aes esp-sha-hmac
crypto ipsec profile DMVPN
set security-association lifetime seconds 120
set transform-set DMVPN_TSet
interface Tunnel0
description Tunnel to dmvpnhub1
bandwidth 8192
ip address 172.31.220.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxxxxx
ip nhrp map multicast 204.75.81.65
ip nhrp map 172.31.220.1 204.75.81.65
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 172.31.220.1
ip tcp adjust-mss 1360
qos pre-classify
keepalive 10 3
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN shared
ip route 204.75.81.65 255.255.255.255 Dialer1
Now, when I apply the following config to make the dmvpn use a front door vrf, the tunnel breaks and won't come up.
ip vrf dmvpnvrf
rd 1:1
crypto keyring dmvpnkeyring vrf dmvpnvrf
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx
ip route vrf dmvpnvrf 0.0.0.0 0.0.0.0 di1
int di1
ip vrf forwarding dmvpnvrf
ip address negotiated
int tun0
tunnel vrf dmvpnvrf
int tun1
tunnel vrf dmvpnvrf
If I shut all interfaces down, clear the crypto and dmvpn sessions, then bring it all up, i get some debugs showing the crypto goes to QM_IDLE (indicating it works), and then goes down again. I will provide these debugs below. Please note that there are some NAT-T messages in the debug, but my router ain't using NAT so I don't know why I've getting NAT-T in the debugs.
06650r2#
06650r2#
06650r2#
Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 16 07:07:44.633 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 16 07:07:44.633 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 16 07:07:44.633 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:46.689 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:07:46.689 GMT: ISAKMP:(0): sending packet to 195.143.92.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:07:46.689 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:48.076 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:07:48.076 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:07:48.076 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:48.112 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:07:48.112 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:07:48.112 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 16 07:07:48.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (N) NEW SA
Apr 16 07:07:48.120 GMT: ISAKMP: Created a peer struct for 213.39.51.226, peer port 500
Apr 16 07:07:48.120 GMT: ISAKMP: New peer created peer = 0x662FC558 peer_handle = 0x80000019
Apr 16 07:07:48.120 GMT: ISAKMP: Locking peer struct 0x662FC558, refcount 1 for crypto_isakmp_process_block
Apr 16 07:07:48.120 GMT: ISAKMP: local port 500, remote port 500
Apr 16 07:07:48.120 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 668F896C
Apr 16 07:07:48.120 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 16 07:07:48.120 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Apr 16 07:07:48.120 GMT: ISAKMP:(0): processing SA payload. message ID = 0
Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unit
06650r2#y/DPD but major 69 mismatch
Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947
Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T v7
Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v3
Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v2
Apr 16 07:07:48.124 GMT: ISAKMP:(0):found peer pre-shared key matching 213.39.51.226
Apr 16 07:07:48.124 GMT: ISAKMP:(0): local preshared key found
Apr 16 07:07:48.124 GMT: ISAKMP : Scanning profiles for xauth ...
Apr 16 07:07:48.124 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Apr 16 07:07:48.124 GMT: ISAKMP: encryption AES-CBC
Apr 16 07:07:48.124 GMT: ISAKMP: keylength of 256
Apr 16 07:07:48.124 GMT: ISAKMP: hash SHA
Apr 16 07:07:48.124 GMT: ISAKMP: default group 2
Apr 16 07:07:48.124 GMT: ISAKMP: auth pre-share
Apr 16 07:07:48.124 GMT: ISAKMP: life type in seconds
Apr 16 07:07:48.124 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Apr 16 07:07:48.124 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0
Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:actual life: 0
Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:life: 0
Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4
Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Apr 16 07:07:48.124 GMT: ISAKMP:(0):Returning Actual lifetime: 86400
Apr 16 07:07:48.124 GMT: ISAKMP:(0)::Started lifetime timer: 86400.
Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947
Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T v7
Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v3
Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v2
Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 16 07:07:48.128 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Apr 16 07:07:48.128 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 16 07:07:48.128 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:07:48.128 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 16 07:07:48.132 GMT: ISAKMP:(0):Old State =
06650r2# IKE_R_MM1 New State = IKE_R_MM2
06650r2#
Apr 16 07:07:50.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP
Apr 16 07:07:50.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Apr 16 07:07:50.736 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1
Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:51.236 GMT: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:07:51.236 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP
06650r2#
Apr 16 07:07:51.236 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:07:54.632 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 16 07:07:54.632 GMT: ISAKMP:(0):peer does not do paranoid keepalives.
Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 204.75.81.65)
Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 204.75.81.65)
Apr 16 07:07:54.632 GMT: ISAKMP: Unlocking peer struct 0x668EE114 for isadb_mark_sa_deleted(), count 0
Apr 16 07:07:54.632 GMT: ISAKMP: Deleting peer node by peer_reap for 204.75.81.65: 668EE114
Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node 1202920501 error FALSE reason "IKE deleted"
Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node -2119501275 error FALSE reason "IKE deleted"
Apr 16 07:07:54.632 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 16 07:07:54.632 GMT: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Apr 16 07:07:54.936 GMT: ISAKMP:(0): SA request profile is (NULL)
Apr 16 07:07:54.936 GMT: ISAKMP: Created a peer struct for 204.75.81.65, peer port 500
Apr 16 07:07:54.936 GMT: ISAKMP: New peer created peer = 0x668EE114 peer_handle = 0x8000001E
Apr 16 07:07:54.936 GMT: ISAKMP: Locking peer struct 0x668EE114, refcount 1 for isakmp_initiator
Apr 16 07:07:54.936 GMT: ISAKMP: local port 500, remote port 500
Apr 16 07:07:54.936 GMT: ISAKMP: set new node 0 to QM_IDLE
Apr 16 07:07:54.936 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 665F5600
Apr 16 07:07:54.936 GMT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 16 07:07:54.936 GMT: ISAKMP:(0):found peer pre-shared key matching 204.75.81.65
Apr 16 07:07:54.936 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-07 ID
06650r2#
Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 16 07:07:54.940 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 16 07:07:54.940 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 16 07:07:54.940 GMT: ISAKMP:(0): beginning Main Mode exchange
Apr 16 07:07:54.940 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 16 07:07:54.940 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:07:56.688 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:56.688 GMT: ISAKMP:(0):peer does not do paranoid keepalives.
Apr 16 07:07:56.688 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.143.92.34)
Apr 16 07:07:56.688 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.143.92.34)
Apr 16 07:07:56.688 GMT: ISAKMP: Unlocking peer struct 0x661043E0 for isadb_mark_sa_deleted(), count 0
Apr 16 07:07:56.688 GMT: ISAKMP: Deleting peer node by peer_reap for 195.143.92.34: 661043E0
Apr 16 07:07:56.688 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
06650r2#
Apr 16 07:07:56.688 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Apr 16 07:07:58.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:58.076 GMT: ISAKMP:(0):peer does not do paranoid keepalives.
Apr 16 07:07:58.076 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.81.160.82)
Apr 16 07:07:58.076 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.81.160.82)
Apr 16 07:07:58.076 GMT: ISAKMP: Unlocking peer struct 0x66577DF0 for isadb_mark_sa_deleted(), count 0
Apr 16 07:07:58.076 GMT: ISAKMP: Deleting peer node by peer_reap for 195.81.160.82: 66577DF0
Apr 16 07:07:58.076 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 16 07:07:58.076 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Apr 16 07:07:58.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:07:58.112 GMT: ISAKMP:(0):peer does not do paranoid keepalives.
Apr 16 07:07:58.112 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 213.39.51.226)
Apr 16 07:07:58.112 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 213.39.51.226)
Apr 16 07:07:58.112 GMT: ISAKMP: Unlocking peer struct 0x6661AD08 for isadb_mark_sa_deleted(), count 0
06650r2#
Apr 16 07:07:58.112 GMT: ISAKMP: Deleting peer node by peer_reap for 213.39.51.226: 6661AD08
Apr 16 07:07:58.112 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 16 07:07:58.112 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Apr 16 07:07:58.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP
Apr 16 07:07:58.120 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Apr 16 07:07:58.120 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1
Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
06650r2#
Apr 16 07:07:58.620 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:07:58.620 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:07:58.620 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:08:00.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP
Apr 16 07:08:00.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Apr 16 07:08:00.740 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1
Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:08:01.240 GMT: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:08:01.240 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP
06650r2#
Apr 16 07:08:01.240 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 16 07:08:04.939 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 16 07:08:04.939 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 16 07:08:04.939 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:08:08.075 GMT: ISAKMP (0): received packet from 195.81.160.82 dport 500 sport 500 dmvpnvrf (N) NEW SA
Apr 16 07:08:08.075 GMT: ISAKMP: Created a peer struct for 195.81.160.82, peer port 500
Apr 16 07:08:08.075 GMT: ISAKMP: New peer created peer = 0x661043E0 peer_handle = 0x80000013
Apr 16 07:08:08.075 GMT: ISAKMP: Locking peer struct 0x661043E0, refcount 1 for crypto_isakmp_process_block
Apr 16 07:08:08.075 GMT: ISAKMP: local port 500, remote port 500
Apr 16 07:08:08.075 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6501348C
Apr 16 07:08:08.075 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 16 07:08:08.075 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing SA payload. message ID = 0
Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947
Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T v7
Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v3
Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v2
Apr 16 07:08:08.079 GMT: ISAKMP:(0):found peer pre-shared key matching 195.81.160.82
Apr 16 07:08:08.079 GMT: ISAKMP:(0): local preshared key found
Apr 16 07:08:08.079 GMT: ISAKMP : Scanning profiles for xauth ...
Apr 16 07:08:08.079 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Apr 16 07:08:08.079 GMT: ISAKMP: encryption AES-CBC
Apr 16 07:08:08.079 GMT: ISAKMP: keylength of 256
Apr 16 07:08:08.079 GMT: ISAKMP: hash SHA
Apr 16 07:08:08.079 GMT: ISAKMP: default group 2
Apr 16 07:08:08.079 GMT: ISAKMP: auth pre-share
Apr 16 07:08:08.079 GMT: ISAKMP: life type in seconds
Apr 16 07:08:08.079 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Apr 16 07:08:08.079 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0
Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:actual life: 0
Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:life: 0
Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4
Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Apr 16 07:08:08.079 GMT: ISAKMP:(0):Returning Actual li
06650r2#fetime: 86400
Apr 16 07:08:08.083 GMT: ISAKMP:(0)::Started lifetime timer: 86400.
Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947
Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T v7
Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v3
Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload
Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v2
Apr 16 07:08:08.083 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 16 07:08:08.083 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Apr 16 07:08:08.083 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 16 07:08:08.083 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:08:08.083 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 16 07:08:08.087 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 16 07:08:08.087 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Apr 16 07:08:08.123 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP
Apr 16 07:08:08.123 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Apr 16 07:08:08.123 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1
06650r2#
Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:08:08.623 GMT: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:08:08.623 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP
Apr 16 07:08:08.623 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
06650r2#
Apr 16 07:08:10.739 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP
Apr 16 07:08:10.739 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Apr 16 07:08:10.739 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1
Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Apr 16 07:08:11.239 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Apr 16 07:08:11.239 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP
06650r2#
Apr 16 07:08:11.239 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
Comments
You need to also use an ISAKMP profile and use "match identity" command and specify the FVRF at the end, afterwards call the ISKAMP profile within the IPsec profile.
Also, you sure you want your Phase2 keys being renegotiated each 2 minutes: "set security-association lifetime seconds 120". This is insane overhead from processing point of view and may make the network unstable at some point.
Can you explain why? The same config works on other 4k series spokes, so I'm confused at why it's only needed on older hardware.
Hi,
With only FVRF, so no IVRF, it should work with your config, as you said. You may be hitting a bug, thus take one of the non-working spokes and upgrade it to a stable M code, if still does not work, try using the ISAKMP profile (attach the keyring to the ISAKMP profile) and bind the ISAKMP profile to the IPsec profile.
Regards,
Cristian.
Ok, that was my next plan anyway (regarding upgrading IOS). I downloaded a new version of code which I'm allowed to put into the device in an hour. Hope it's just some dpd version mismatch or something that's stopping it working.
With regards to the isakmp profile, is there any specifics I need to add in? I'm guessing it's just
crypto isakmp profile test
match identity address 0.0.0.0
crypto ipsec profile DMVPN
set isakmp-profile test
Sent from my iPhone
On Apr 16, 2015, at 14:03, sg4rb0 <[email protected]> wrote:
Hi, I tried 3-4 different IOS versions now. I get the wierdest issue, I can ping over an IKE state DMVPN. Have a look, on #sh dmvpn, it just stays in IKE
06650r2#sh dmv
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 204.75.81.65 172.31.220.1 IKE 00:07:48 S
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 204.75.81.66 172.31.221.1 IKE 00:07:48 S
//Here I ping an IP address within the hub side of the network, and check if i can pass traffic over this "IKE" state dmvpn.
06650r2#ping 172.31.18.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.18.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/37/40 ms
06650r2#trace 172.31.18.10
Type escape sequence to abort.
Tracing the route to 172.31.18.10
VRF info: (vrf in name/id, vrf out name/id)
1 172.31.220.1 [AS 65201] 36 msec 40 msec 36 msec
2 172.31.34.6 [AS 65201] 36 msec 40 msec 36 msec
3 172.31.34.1 [AS 65201] 36 msec * 36 msec
//so I could pass traffic over it, and also I see the eigrp neighbor up, see below.
06650r2#sh ip eigrp ne
EIGRP-IPv4 Neighbors for AS(200)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.31.221.1 Tu1 2 00:08:10 55 330 0 29972
0 172.31.220.1 Tu0 2 00:08:11 46 276 0 35528
/the crypto also looks good.
06650r2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
204.75.81.65 213.123.211.12 QM_IDLE 1015 ACTIVE
213.39.51.226 213.123.211.12 QM_IDLE 1017 ACTIVE
204.75.81.66 213.123.211.12 QM_IDLE 1016 ACTIVE
FYI i have added the isakmp profile like you asked, using the code below
crypto isakmp profile test
keyring dmvpnkeyring
match identity address 0.0.0.0
crypto ipsec profile DMVPN
set isakmp-profile test
That may just be a cosmetic bug, use "show crypto isakmp sa, show crypto ipsec sa, show crypto session detail" to see the real states of IPsec phases, and also that ISAKMP profile has been matched, also the FVRF/IVRF.
If you use a FVRF named "TEST" the "match identity" statement from the ISAKMP profile needs to specify it, like "match identity address 0.0.0.0 TEST".
Hi,
Is it possible to use Policy based routing with DMVPN? I am
working on a scenario to route specific subnets through internet on a spoke and
the rest of traffic through the tunnel. I have a single subnet for user traffic
though. I know PBR works with source routing, but I applied PBR with access
list containing the source and destination subnets and still no luck. I have
static routes in place for those specific subnets pointing to my next hop IP
and in the route map I am using set ip default next-hop and still
luck.
By the way I am using IPsec over GRE in my DMVPN implementation.
Is there a way that I could achieve my goal? Thanks
Thanks Paulo.
The PBR is applied to the SVI interface only which is the gw for the internal network. I can see the hits on the access list, but when I do the trace route, I just see the gateway IP and drops after that.