This document contains the most common solutions to Dynamic Multipoint VPN (DMVPN) problems. Many of these solutions can be taken prior to any in-depth DMVPN connectivity troubleshooting. This document is recommended as a checklist of common practices to try before you begin connectivity-based troubleshooting and call Cisco Technical Support.
If you need an instance of the document configuration for DMVPN, see the DMVPN configuration examples and technical notes.
Note. See the “IPsec Troubleshooting – Understanding and Using Debug Commands” section for a detailed explanation of the common debug commands used to troubleshoot IPsec problems.
This document is based on the following desktop tools and hardware versions:
Cisco IOS
Information
The devices described in this document were created under exceptional laboratory conditions. All devices used in this document were started with a remote functional (standard) configuration. If you have a network in your network, make sure you understand the possible implications of the order.
The hub accepts NHRP registration requests and also sends an NHRP registration response as soon as the problem confirms that the spoke has a valid tunnel and non-broadcast multiport address (NBMA). The beam receives this NHRP registration response, which completes the registration process.
Router ( config) #service timestamps log datetime ms
Who are the authors of the NhRP document?
NHRP Disclaimer (Again!): This content was originally created by – Alex Honoré, Graham Barlet, Raffaele Brancaleoni of Cisco. Introduction. This document is intended to show you how to troubleshoot your DMVPN configuration. The responsibilities of the various components are also discussed, but not the internal details.
Enable Terminal Exec prompt timestamp for debug sessions:
What does next hop Resolution Protocol ( NhRP ) do?
Next Hop Resolution Protocol (NHRP) is used to look up the addresses of other routers and the network behind routers that are connected to a non-broadcast multiple access (NBMA) network.
Router # Terminal Exec quick timestamp
Note. This way, you can probably easily relate debugging to the issuing of new show command output.
Ping the principal to departments with NBMA return addresses.
These pings must go directly through the physicala physical interface, not through a DMVPN tunnel. Hopefully no firewall is blocking ping packets. If that doesn’t work, check the routing and firewalls between the hub and the voice router.
Also use
traceroute to check the path that encrypted tunnel packets appear to travel through.
Use these debug and show commands for offline testing:
Debug-IP-ICMP
debug ip packet
Note. The debug ip packet command produces a lot of output and consumes excessive system resources. It is advisable to use this command with caution in production structures. Always use with the access-list command.
Note. For more information on using an access list with a debug IP packet, see Troubleshooting Access List IP Addresses.
If the optimized ISAKMP directives do not match the intended remote terminal directive, the modem tries tostandard directive 65535. If this is also not true, the ISAKMP negotiation is aborted.
The Show crypto isakmp sa command tells ISAKMP SA to start MM_NO_STATE, which means major mode failure.
Which is the correct entry for dynamic NhRP multicast mapping?
An example of a configuration with an entry specifically correct for nhrp dynamic multicast cards: Interface Tunnel0 IP address 10.0.0.1 255.255.255.0 ip mtu 1400 no internet next-hop-self eigrp 10 ip nhrp verify test ip nhrp card multicast dynamic internet protocol nhrp – Network ID 10 No Internet Protocol Split-Horizon Eigrp 10 Gre Multipoint Tunneling Mode! —! — Output disabled! —
Router # show crypto isakmp saCrypto IPv4 ISAKMP SASrc Dst state conn-id location state172.17.0.1 172.16.1.1 MM_NO_STATE 0 0 ACTIVE172.17.0.1 172.16.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)172.17.0. 5 172.16.1.1 MM_NO_STATE 0 ACTIVE172.17.0. 5 172.16.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)
Also take a look at Debug Crypto isakmp to see if the router is sending a UDP-500 packet:
Fortect is the world's most popular and effective PC repair tool. It is trusted by millions of people to keep their systems running fast, smooth, and error-free. With its simple user interface and powerful scanning engine, Fortect quickly finds and fixes a broad range of Windows problems - from system instability and security issues to memory management and performance bottlenecks.
1. Download Fortect and install it on your computer
2. Launch the program and click "Scan"
3. Click "Repair" to fix any issues that are found
The previous debug output shows that the spoke router sends a UDP-500 packet every ten seconds.
Check with your ISP that the end router is immediately connected to the router suppliedCheck your internet service to make sure it allows UDP-Five traffic.
After the provider accepts UDP 500, add the ACL inbound output to the GUI. This is the tunnel source for udp 500 support to guarantee udp 500 clients access to the router. Use this show access-list command to show anal
