Saturday, November 7, 2020

DMVPN routing headache

Hi,

I'am trying to setup a DMVPN topology but i ran into an issue and I couldn't find the root cause.

I have to say that I'am fairly new to DMVPN, even though I'am used to the underlying technologies (GRE, IPSec, ...).

Basicaly here is my topology (simplified) :

*************** LAN ********************//*********************WAN*********************

Server--------------(Cat6880)-----------------(Cat9500)--------(Internet)-------------(Telco NAT)-----------(ISR1111 LTE)

Server has public IP address.

Cat9500 is the Hub and has a Loopback with a public IP Address.

ISR1111 is the spoke and has a Private assigned IP from the provider, which is NATed at the provider side.

I've setup my tunnel between the Cat9500 Hub (from a Loopback with a Public IP Address) and the ISR1111 LTE Hub (from it's physical Cellular interface, which is private and later NATed by the provider).

On both side, I can see that ISAKMP (with the telco public NATed IP) and IPSEC SA (with the telco private assigned IP) are UP, GRE tunnel is also UP.

I have OSPF running everywhere, redistributing connected routes (except the Cellular one to not face and egg-chicken-tunnel-issue).

OSPF neighborship is also doing great trough the tunnel.

I checked the routing table everywhere, everything looks absolutely fine.

From the Hub to the Spoke (and vice versa), I can ping any IP of the destination router from any local IP, either tunnel IP or any loopback, SVI, etc...

So it really looks that everything is fine.

However, when I try from the Spoke to reach something farther than the Hub (for example the Server), nothing works.

When I run an ICMP from the ISR1111 (Spoke) to the PublicIPServ, I can see on packet captures that it actually arrives on the server, and the reply leaves the server, but never arrives to destination.

When running a MTR from the server to the Spoke, it stops at the Hub.

I've triple checked everything regarding routing, everything looks absolutely good.

Is there anything obvious that I'am missing? Or particular with DMVPN tunnels?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)