1 2 Previous Next 15 Replies Latest reply: Mar 19, 2012 7:15 AM by Keith Barker - CCIE RS/Security, CISSP RSS



      Hi all,



      I am experiencing the following problem in a Standard DMVPN configuation:


      SCENARIO: a simple PKI infrastructure for a DMVPN scenario with a Hub and 2 Spokes Router;


      PLATFORM: GNS3 lab environment;


      Hub Configuration:  - gre multipoint interface;

                                  - nhrp server mode;

                                  - mtu ceiled to 1400 and tcp segment size ceiled to 1360;


      Spokes configuration: - gre multipoint interface;

                                      - nhrp map of the local interface;

                                      - nhrp configuration of the remote nhs public address;

                                      - mtu ceiled to 1400 and tcp segment size ceiled to 1360;

                                      - clearly isakmp set to PKI authentication;


      The configuration is similar to the on presented on the Secure Official Study Guide.



      Problem: the tunnel interface on the Spoke router goes immediatly on reset state, therefore not permitting any IKE security association.



      Any idea?







        • 1. Re: DMVPN SET UP PROBLEM

          Have u tried connections betwen all your nodes without ipsec protection?

          • 2. Re: DMVPN SET UP PROBLEM

            Of course, yes. All the underlying network is perfectly working and the PKI infrastructure is completely reliable.


            When I rise the tunnel interface with the configuration reported above, the ISAKMP goes up (as usual) and then goes immediatly down (because the iface goes in reset state).


            I suppose it can be a hardware problem or a misfunctioning of the simulator.

            • 3. Re: DMVPN SET UP PROBLEM

              What i meant was not underlying network itself, but how all dmvpn topology work without ipsec protection (wtihout string  #tunnel protection ipsec profile PROFILENAME), but anyway. Could you provide your configuration from hub and spoke?

              • 4. Re: DMVPN SET UP PROBLEM

                Sorry for this slow response time, but I am trying to experiment different things with Spoke tunnel interface.


                I am not able, unfortunately, to post down Hub and Spoke routers conf, but I have noticed a strange thing.


                1. interface tunnel 0 with IPSEC-PROF (standard profile)  ---> the isakmp goes UP and then goes DOWN (interface reset);


                2. new ipsec profile (NEW-ONE absolutely identical to the IPSEC-PROF)


                3. no ipsec profile IPSEC-PROF to tunnel 0;


                4. ipsec profile NEW-ONE ---> the interface tunnel 0 comes back UP, the isakmp goes UP;


                5. the isakmp sa between peers, however, doesn't still estabilish;



                I have to go further, even if the solution can possibly be good and a new issue can be the cause of the missing isakmp sa estabilishment.


                However is strange why two equal ipsec profile (apart from the name) can change the soup.


                Won't miss to add further details.









                • 5. Re: DMVPN SET UP PROBLEM

                  Hi Cristian


                  As other have said try it without security.


                  Use static keys rather than IKASMP. There are examples on CLN.


                  Regards Conwyn

                  • 6. Re: DMVPN SET UP PROBLEM
                    Paul Stewart  -  CCIE Security

                    The only thing to be concerned about when trying it without IPSec is that you will be seeing protocol 47 in the public area of the network.  So be aware of that and adjust any acl's accordingly.  Also, be aware that it is in the clear at this point.  This will give us an indication if we are looking at an issue with IPSec or mGRE/NHRP. 

                    • 7. Re: DMVPN SET UP PROBLEM
                      Keith Barker - CCIE RS/Security, CISSP

                      This sounds like a situation where the router believes the endpoint of the tunnel, should use the tunnel, which causes it to collapse.


                      Turn on "debug ip routing" and see if this flapping occurs (over and over and over...)


                      If it does, use one protocol for your normal network, and a second protocol for your DMVPN related networks.




                      • 8. Re: DMVPN SET UP PROBLEM

                        Thank you all for your help.


                        As soon as possible I will get your advice into practise and try to make things work.





                        • 9. Re: DMVPN SET UP PROBLEM

                          Im having an almost identical problem just setting u pa point to point gre/ipsec tunnel in my lab. The isakmp and ipsec sa establishes (although imunable to ping the tunnel endpoints) then after about a minute the tunnel state goes from QM_IDLE to MM_NO_STATE (deleted).

                          • 10. Re: DMVPN SET UP PROBLEM

                            I managed to get the lab working. I think it was a misconfiguration of the NHRP. The debug crypto isakmp didnt help here though. Verifying the underlying layer 3 connectivity and tunnel establishment is key i guess.

                            • 11. Re: DMVPN SET UP PROBLEM

                              Hy everyone.


                              With some additional effort, I have succeded in making this DMVPN standard configuration working.


                              PROBLEMS: if I put the tunnel protection in ipsec profile without any transform-set (apart from the default one), my Tunnel interface goes in reset state, thus conducting to nothing because it can't even set up the isakmp sa.



                              - created a new ipsec profile;

                              - applied a new transform-set to the profile;

                              - tunnel protection ipsec profile created and applied to the tunnel interface;

                              - the tunnel goes up and everything is ok (isakmp sa, ipsec sa, nhrp estabilisment).


                              Unfortunately I can't explain the reason why this could happen.



                              Just to give an answer to someone who asked me the connectivity of the tunnel without protection, this was not an issue since the connection between peers was ok (ping succesful).


                              Moreover, PKI and RSA-SIG don't matter at all.



                              LAB EQUIPMENTS:

                              - Router 3750 with IOS 12.4(9) T (Both Hub and Spoke);



                              Let me know your idea, if something comes up.






                              • 12. Re: DMVPN SET UP PROBLEM
                                Keith Barker - CCIE RS/Security, CISSP

                                What is the default transform-set, used for IKE phase 2, if you don't specify one?



                                • 13. Re: DMVPN SET UP PROBLEM

                                  In my version of IOS, after completing the set-up of the IPSEC profile with a default transform set, the command:


                                  show crypto ipsec profile


                                  gave me the following:


                                  IPSEC profile NNNNN

                                            Security association lifetime: 4608000 kilobytes/3600 seconds

                                            PFS (Y/N): N

                                            Transform sets={



                                  Now, I wonder if this means "absence of a valid transform-set" or simply "use an (implicit) default trasnform-set".

                                  I am more for the first option, however the official cert guide says that creating a new ipsec profile is enough.

                                  Official documentation on Cisco.com makes you create a transform-set.


                                  Probably an issue of IOS version, I don't know.


                                  From now on, I will declare a transform-set.




                                  Hope to be helpful.




                                  • 14. Re: DMVPN SET UP PROBLEM

                                    Why do u ever need to use a default TS? Default TS may be dependent on exact IOS or device u're using, so u'd better allways use some preconfigured one to be sure.

                                    1 2 Previous Next