You should review these recommended fixes if the Cisco nhrp troubleshooting error is occurring on your computer.
Approved: Fortect
Presentation
This document contains the most common solutions to Dynamic Multipoint VPN (DMVPN) problems. Many of these solutions can be taken prior to any in-depth DMVPN connectivity troubleshooting. This document is recommended as a checklist of common practices to try before you begin connectivity-based troubleshooting and call Cisco Technical Support.
If you need an instance of the document configuration for DMVPN, see the DMVPN configuration examples and technical notes.
Note. See the “IPsec Troubleshooting – Understanding and Using Debug Commands” section for a detailed explanation of the common debug commands used to troubleshoot IPsec problems.
Requirements
Requirements
Cisco recommends having hands-on experience with configuring dmvpn on routersCisco IOS ® .
Components Used
Information
This document is based on the following desktop tools and hardware versions:
-
Cisco IOS
Information
The devices described in this document were created under exceptional laboratory conditions. All devices used in this document were started with a remote functional (standard) configuration. If you have a network in your network, make sure you understand the possible implications of the order.
Conventions
For more information on document conventions, see Cisco Technical Tips Conventions.
DMVPN Configuration Is Working, Not Working
Problem
Solutions
These solutions (in one command) can be used as a custom checklist of items to consider or use before diving into the troubleshooting process:
-
General Problems
-
ConvinceSee ISAKMP packets being blocked by your ISP
-
Make sure GRE is working properly by unsecured tunnel
-
NHRP write error
-
Make sure the worlds are set up correctly
-
Make sure all traffic goes in one ad
-
Make sure the routing protocol neighbor is available
-
Synchronize all timestamps between hubs in addition to Spoke
-
Enable msec debugging and signal time stamp:
Router (config) #service timestamps Debug datetime msec
How does the hub respond to a NhRP request?
The hub accepts NHRP registration requests and also sends an NHRP registration response as soon as the problem confirms that the spoke has a valid tunnel and non-broadcast multiport address (NBMA). The beam receives this NHRP registration response, which completes the registration process.
Router ( config) #service timestamps log datetime ms
-
Who are the authors of the NhRP document?
NHRP Disclaimer (Again!): This content was originally created by – Alex Honoré, Graham Barlet, Raffaele Brancaleoni of Cisco. Introduction. This document is intended to show you how to troubleshoot your DMVPN configuration. The responsibilities of the various components are also discussed, but not the internal details.
Enable Terminal Exec prompt timestamp for debug sessions:
What does next hop Resolution Protocol ( NhRP ) do?
Next Hop Resolution Protocol (NHRP) is used to look up the addresses of other routers and the network behind routers that are connected to a non-broadcast multiple access (NBMA) network.
Router # Terminal Exec quick timestamp
Note. This way, you can probably easily relate debugging to the issuing of new show command output.
Name = “common”> Common Problems
Check Basic Connection
-
Ping the principal to departments with NBMA return addresses.
These pings must go directly through the physicala physical interface, not through a DMVPN tunnel. Hopefully no firewall is blocking ping packets. If that doesn’t work, check the routing and firewalls between the hub and the voice router.
- Also use
traceroute to check the path that encrypted tunnel packets appear to travel through.
- Use these debug and show commands for offline testing:
- Debug-IP-ICMP
- debug ip packet
Note. The debug ip packet command produces a lot of output and consumes excessive system resources. It is advisable to use this command with caution in production structures. Always use with the access-list command.
Note. For more information on using an access list with a debug IP packet, see Troubleshooting Access List IP Addresses.
Check incompatible ISAKMP policy
If the optimized ISAKMP directives do not match the intended remote terminal directive, the modem tries tostandard directive 65535. If this is also not true, the ISAKMP negotiation is aborted.
The Show crypto isakmp sa command tells ISAKMP SA to start MM_NO_STATE, which means major mode failure.
Check Full Shared Secret
If the previously provided secrets do not match on both sides, the deal will fail.
Check out the great incompatible IPsec suite
If the set of IPsec transforms is usually incompatible or simply not the same on the two IPsec devices, IPsec negotiation will fail.
The Hub returns the Attacks Not Allowed lesson for the IPsec offer.
Check If ISAKMP Packets Are Really Blocked By ISP
Which is the correct entry for dynamic NhRP multicast mapping?
An example of a configuration with an entry specifically correct for nhrp dynamic multicast cards: Interface Tunnel0 IP address 10.0.0.1 255.255.255.0 ip mtu 1400 no internet next-hop-self eigrp 10 ip nhrp verify test ip nhrp card multicast dynamic internet protocol nhrp – Network ID 10 No Internet Protocol Split-Horizon Eigrp 10 Gre Multipoint Tunneling Mode! —! — Output disabled! —
Router # show crypto isakmp saCrypto IPv4 ISAKMP SASrc Dst state conn-id location state172.17.0.1 172.16.1.1 MM_NO_STATE 0 0 ACTIVE172.17.0.1 172.16.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)172.17.0. 5 172.16.1.1 MM_NO_STATE 0 ACTIVE172.17.0. 5 172.16.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)
Also take a look at Debug Crypto isakmp to see if the router is sending a UDP-500 packet:
Router # debug crypto isakmp
Fortect is the world's most popular and effective PC repair tool. It is trusted by millions of people to keep their systems running fast, smooth, and error-free. With its simple user interface and powerful scanning engine, Fortect quickly finds and fixes a broad range of Windows problems - from system instability and security issues to memory management and performance bottlenecks.
Approved: Fortect
04: 14: 44.450: ISAKMP: (0): old state = IKE_READY New status = IKE_I_MM104: 14: 44.450: Start isakmp: (0): switch to main mode04: 14: 44.450: ISAKMP: (0): Actually send in packet 172.17.0.1 my_port 500 peer_port five hundred (I) MM_NO_STATE04: 14: 44.450: ISAKMP: (0): Send IPv4 packet ike.04: 14: 54.450: ISAKMP: (0): Phase 1 retransmitted MM_NO_STATE ...04: 14: 54.450: ISAKMP (0: 0): Increase corruption counter to sa, Experiment 1 Ideas: Phase 1 Relay04: 14: 54.450: ISAKMP: (0): return phase MM_NO_STATE04: 14: 54.450: ISAKMP: (0): send to mailbox 172.17.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE04: 14: 54.450: ISAKMP: (0): Send IPv4 packet ike.04: 15: 04.450: ISAKMP: (0): 0 retransmission phase MM_NO_STATE ...04: 15: 04.450: ISAKMP: (0): Phase 1 retransmitted MM_NO_STATE ...04: 15: 04.450: ISAKMP (0: 0): Increase error counter for sa, Start 2 of 5: Resubmit 104:15:04 phase.450: ISAKMP: (0): phase 1 retransmission MM_NO_STATE
The previous debug output shows that the spoke router sends a UDP-500 packet every ten seconds.
Check with your ISP that the end router is immediately connected to the router suppliedCheck your internet service to make sure it allows UDP-Five traffic.
After the provider accepts UDP 500, add the ACL inbound output to the GUI. This is the tunnel source for udp 500 support to guarantee udp 500 clients access to the router. Use this show access-list command to show anal
Speed up your computer's performance now with this simple download.