Hi, I'm having connectivity issue from spoke to spoke communication. Both spokes can reach the hub. Here the details and configuration.
📷
Configuration:
Hub:
interface Tunnel1
ip vrf forwarding test
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map group test service-policy output test-out
ip nhrp network-id 1111
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile prof1 shared
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key address 0.0.0.0 no-xauth
crypto isakmp keepalive 10
crypto ipsec profile prof1
set transform-set tras1
crypto ipsec transform-set tras1 esp-3des esp-md5-hmac
mode transport
Spoke1:
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 1111
ip nhrp map 1.1.1.1 111.1.1.1
ip nhrp map multicast 111.1.1.1
ip nhrp network-id 1111
ip nhrp nhs 1.1.1.1
ip nhrp server-only
tunnel source 192.168.1.1
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile prof1
end
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof1
set transform-set trans1
Spoke2:
interface Tunnel1
ip address 1.1.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 1111
ip nhrp group test
ip nhrp map 1.1.1.1 111.1.1.1
ip nhrp map multicast 111.1.1.1
ip nhrp network-id 1111
ip nhrp nhs 1.1.1.1
ip nhrp server-only
tunnel source 172.16.1.1
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile prof1
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ippccwsec address 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof1
set transform-set trans1
Verification:
Hub:
#sh crypto isakmp sa | i
111.1.1.1 80.1.1.1 QM_IDLE 54023 ACTIVE
111.1.1.1 122.2.2.2 QM_IDLE 54022 ACTIVE
#sh dmvpn | beg Tunnel1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 80.1.1.1 1.1.1.2 IKE 1d00h DN
1 122.2.2.2 1.1.1.3 UP 00:25:03 DN
#show ip nhrp tunnel 1
1.1.1.2/32 (test) via 1.1.1.2
Tunnel1 created 1d01h, expire 01:54:25
Type: dynamic, Flags: unique registered used nhop
NBMA address: 80.1.1.1
Group: GRPMAP-TMS-MGMT-1M
(Claimed NBMA address: 192.168.1.1)
1.1.1.3/32 (test) via 1.1.1.3
Tunnel1 created 01:44:44, expire 00:08:21
Type: dynamic, Flags: registered used nhop
NBMA address: 122.2.2.2
(Claimed NBMA address: 172.16.1.1)
Spoke 1:
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
111.1.1.1 192.168.1.1 QM_IDLE 1002 ACTIVE
#ping 1.1.1.1 (HUB)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 900/907/919 ms
#ping 10.10.10.3 source 10.10.10.2 (spoke2)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.2
.....
Success rate is 0 percent (0/5)
Spoke 2:
#ping 1.1.1.1 (HUB)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 590/603/622 ms
#ping 10.10.10.2 source 1.1.1.3 (Spoke1)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.3
.....
Success rate is 0 percent (0/5)
Please let me know if you need more details and output.. trying to get more tshooting tips as possible as I'm still new with advance tshooting.
Thanks
No comments:
Post a Comment