dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2347
share rss forum feed


FloridaBoyPC

@bhntampa.com

[Config] Need Help with DMVPN

Hello all..

I am having a issue, we use DMVPN as a backup, and was working on the redundancy, when we noticed this site will NOT come up... we have three other site that DO connect to the "hub" just fine. here is the config from the trouble router

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5 xxxx
!
no aaa new-model
clock timezone NewYork -5
!
crypto pki trustpoint TP-self-signed-3087426292
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3087426292
revocation-check none
rsakeypair TP-self-signed-3087426292
!
!
!
ip cef
!
!
no ip domain lookup
ip domain name xxxx
ip name-server xxxxx
ip port-map ftps port tcp from 50000 to 50100 description PassiveFTP
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
username xxxx privilege 15 secret 5 xxxx
username xxxx privilege 15 view root secret 5 xxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
crypto ipsec profile SDM_Profile2
!
!
archive
log config
hidekeys
!
!
ip ftp username xxxx
ip ftp password xxxx
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_DMVPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_GRE
match class-map SDM_ESP
class-map type inspect match-all SDM_DMVPN_PT
match access-group name DMVPN
match class-map SDM_DMVPN_TRAFFIC
class-map type inspect match-any ClassMap-OurWeb
match protocol http
match protocol https
match protocol ftp
match protocol ftps
class-map type inspect match-all MasterWebCLS
match access-group name FirewallACL-OurWeb
match class-map ClassMap-OurWeb
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map SDM_DMVPN_TRAFFIC
match access-group 139
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
policy-map type inspect sdm-permit-gre
class type inspect SDM_GRE
pass
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_DMVPN_PT
pass
class type inspect sdm-cls-sdm-permit-1
pass
class type inspect sdm-access
inspect
class class-default
policy-map type inspect PolicyMap-OurWeb
class type inspect MasterWebCLS
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
!
zone security out-zone
zone security in-zone
zone security dmvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-gre source out-zone destination dmvpn-zone
service-policy type inspect sdm-permit-gre
zone-pair security sdm-zp-gre-out source dmvpn-zone destination out-zone
service-policy type inspect sdm-permit-gre
zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security Out2In source out-zone destination in-zone
service-policy type inspect PolicyMap-OurWeb
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 10.10.10.176 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 10.10.10.150 xxxx
ip nhrp map multicast xxxx
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.10.10.150
zone-member security in-zone
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$
ip address 192.168.176.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1200
duplex auto
speed auto
standby 10 ip 192.168.176.254
standby 10 timers 5 15
standby 10 preempt
standby 10 name dallashsrp
!
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address xxxx 255.255.255.240
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
router eigrp 10
network 10.10.10.0 0.0.0.255
network 192.168.176.0
no auto-summary
!
ip default-gateway xxxx
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxx permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.176.35 xxxx
ip nat inside source static network 192.168.176.159 xxxx /32
ip nat inside source static network 192.168.176.2 xxxx /32
ip nat inside source static 192.168.176.8 xxxx
ip nat inside source static 192.168.176.9 xxxx
ip nat inside source static network 192.168.176.11 xxxx/32
ip nat inside source static network 192.168.176.12 xxxx /32
ip nat inside source static network 192.168.176.14 xxxx /32
!
ip access-list extended ACL-BlockAll
remark SDM_ACL Category=2
deny ip any any log
ip access-list extended DMVPN
remark SDM_ACL Category=128
permit ip any host xxxx
ip access-list extended FirewallACL-OurWeb
remark SDM_ACL Category=128
permit ip any host 192.168.176.159
permit tcp any host 192.168.176.8 eq ftp
permit tcp any host 192.168.176.8 range 50000 50100
permit tcp any host 192.168.176.9 eq ftp
permit tcp any host 192.168.176.9 range 50000 50100
permit tcp any host 192.168.176.11 eq ftp
permit tcp any host 192.168.176.11 range 50000 50100
permit tcp any host 192.168.176.12 eq ftp
permit tcp any host 192.168.176.12 range 50000 50100
permit tcp any host 192.168.176.14 eq 443
permit tcp any host 192.168.176.14 eq www
permit tcp any host 192.168.176.35 eq pop3
permit tcp any host 192.168.176.35 eq smtp
permit tcp any host 192.168.176.49 eq 443
permit tcp any host 192.168.176.49 eq www
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark SDM_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=0
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
no logging trap
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxx 0.0.0.15 any
access-list 101 remark SDM_ACL Category=18
access-list 101 permit ip 192.168.176.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip any any
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host 63.166.244.2 any
access-list 106 remark SDM_ACL Category=0
access-list 107 remark SDM_ACL Category=0
access-list 139 remark SDM_ACL Category=128
access-list 139 permit ip any host xxxx
snmp-server community xxxx RW
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!

!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180171
ntp update-calendar
ntp server 128.227.205.3 source GigabitEthernet0/1 prefer
!
end

Here is what i think is pertinent from the hub..

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TBTeamTransformSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set TBTeamTransformSet

interface Tunnel0
bandwidth 1000
ip address 10.10.10.150 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
zone-member security in-zone
ip tcp adjust-mss 1360
delay 1000
tunnel source Serial0/0/0:0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1

Thanks for the help., as i said 2 other site can connect to the hub, and bring up the tunnel fine.


nosx

join:2004-12-27
00000
kudos:5

Start with basic IPsec troubleshooting:
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp etc.
debug crypto ipsec etc.
Then move into the multipoint gre troubleshooting:
show ip nhrp etc.
show dmvpn
Make sure your ESP and AH traffic is permitted through any ACLs, all ip nhrp next hops and pre shared keys are all correct (copy/paste).


rtrice81

join:2010-01-05
reply to FloridaBoyPC

change this

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport

to

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no mode transport

let us know
thanks
rich


nosx

join:2004-12-27
00000
kudos:5

1 edit

Im running DMVPN on several of my devices, and my transform sets are all mode transport:

crypto ipsec transform-set IPSEC_TRANSFORMSET_DMVPN esp-aes 256 esp-sha-hmac
 mode transport
 

rtrice81

join:2010-01-05
reply to FloridaBoyPC

odd i had an the same issue as you and i got cisco tac involved and they had me remove that line and everything works