Beruflich Dokumente
Kultur Dokumente
Troubleshooting DMVPN I
Objective
Troubleshoot Dynamic Multipoint Virtual Private Network (DMVPN), IP Security (IPSec), and tunnel
problems in the network.
Lab Topology
The topology diagram below represents the NetMap in the Simulator. You will only be performing tasks on
Hub, Spoke1, Spoke2, and Spoke3 in this lab.
Spoke1
S0/0
S0/0 S0/0
IISP-2
ISP
SP
P-2
2
Hub Spoke2
IISP-1
IS
SP-1
1
S0/0
Hub-to-Spoke Tunnel
Spoke-to-Spoke Tunnel
Spoke3
Command Summary
Command Description
configure terminal enters global configuration mode from privileged EXEC mode
crypto isakmp key keystring {address configures a preshared authentication key; you must
peer-address [mask]} configure this key whenever you specify preshared keys in
an IKE policy
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode
[no] ip next-hop-self eigrp as-number enables EIGRP to advertise routes with the local outbound
interface address as the next hop; the no form enables
EIGRP to use the received next hop instead of the local
outbound interface address (itself)
[no] ip nhrp nhs nhs-address specifies the address of one or more NHRP next-hop server
(NHS) servers; the no form removes the address
IP Addresses
Device Interface IP Address Subnet Mask
Hub Tunnel 0 10.0.0.1 255.255.255.0
Loopback 0 10.1.0.1 255.255.255.128
Loopback 1 10.1.0.129 255.255.255.128
Serial 0/0 69.45.128.28 255.255.255.0
Spoke1 Tunnel 0 10.0.0.2 255.255.255.0
Loopback 0 10.2.0.1 255.255.255.128
Loopback 1 10.2.0.129 255.255.255.128
Serial 0/0 26.32.18.57 255.255.255.128
Spoke2 Tunnel 0 10.0.0.3 255.255.255.0
Loopback 0 10.3.0.1 255.255.255.128
Loopback 1 10.3.0.129 255.255.255.128
Serial 0/0 145.53.18.18 255.255.255.0
Spoke3 Tunnel 0 10.0.0.4 255.255.255.0
Loopback 0 10.4.0.1 255.255.255.128
Loopback 1 10.4.0.129 255.255.255.128
Serial 0/0 48.57.36.18 255.255.255.128
ISP1 Serial 0/2 48.57.36.5 255.255.255.128
ISP2 Serial 0/1 145.53.18.7 255.255.255.0
Lab Tasks
Complex network troubleshooting requires a structured approach. Network documentation that includes
thorough troubleshooting procedures can decrease the amount of time required to resolve network
problems. Troubleshooting procedures should contain a process to diagnose problems and the steps
necessary to verify that a proposed solution resolved the problem. In this lab, we will refer to this as a
troubleshooting and verification plan.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
You should create a troubleshooting and verification plan before attempting to correct the problem. There
are several possible solutions to this task; this lab documents only one.
1. You should first attempt to verify that the documented problem exists by issuing a ping from Spoke3
to Hub (10.1.0.1), Spoke1 (10.2.0.1), and Spoke2 (10.3.0.1).
Spoke3#ping 10.1.0.1
Spoke3#ping 10.2.0.1
Spoke3#ping 10.3.0.1
All three pings fail. The results you observe verify a problem exists and Spoke3 has no connectivity
with other offices in the DMVPN.
2. On Spoke3, you should issue the following command to verify the line and protocol state of the
interface connected to the ISP. Interfaces that are in a down state would prevent Spoke3 from
having any connectivity with devices outside of its local network; as shown in the output below,
Spoke3’s Serial 0/0 interface is up/up:
3. On Spoke3, you should issue the following command to verify IP connectivity with Spoke3’s ISP. A
lack of connectivity between Spoke3 and its ISP could indicate a problem with the ISP, which would
need to be resolved before Spoke3 could reach Hub.
Spoke3#ping 48.57.36.5
The ping is successful; therefore, you can determine that Spoke3 has no connectivity issues with its
ISP.
Spoke3#ping 69.45.128.28
The ping is successful; therefore, you can determine that Spoke3 has connectivity with the tunnel
destination (Hub) over the WAN.
5. On Spoke3, you should issue the following command to display active DMVPN sessions:
Spoke3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I – Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 69.45.128.28 10.0.0.1 NHRP never S
Based on the NHRP shown in the State field of output, you can determine that a tunnel connection
with Hub has not formed as a result of an NHRP issue. The State field in the output will indicate UP
if the DMVPN session is functioning properly. Otherwise, it will indicate the reason for a down state
by displaying an error reason. Possible causes of a down state are NHRP, IPSec, and IKE.
6. On Spoke3, you should issue the following command to display the NHRP tunnel configuration:
Based on the output, you can determine that Spoke3 has been incorrectly configured with the NBMA
address of Hub (69.45.128.28) for the NHRP NHS instead of the peer tunnel address (10.0.0.1).
Spoke3(config)#interface tunnel 0
Spoke3(config-if)#no ip nhrp nhs 69.45.128.28
Spoke3(config-if)#ip nhrp nhs 10.0.0.1
8. On Spoke3, you should issue a ping to Hub (10.1.0.1), Spoke1 (10.2.0.1), and Spoke2 (10.3.0.1) to
determine whether Spoke3 now has DMVPN connectivity with all offices.
Spoke3#ping 10.1.0.1
Spoke3#ping 10.2.0.1
Spoke3#ping 10.3.0.1
All three pings fail. The results indicate that you have not yet restored connectivity between Spoke3
and the other offices in your network.
9. After the previous configuration error is fixed on Spoke3, the dynamic tunnel with Hub is not yet
functional. You should issue the following command to display active DMVPN sessions:
Spoke3#show dmvpn
<output omitted>
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 69.45.128.28 10.0.0.1 IKE never S
Based out the output, you can determine that an IPSec or Internet Security Association Key
Management Protocol (ISAKMP) problem exists with the link between Hub and Spoke3.
10. On Spoke3, you should issue the following command to display IPSec and ISAKMP policies on the
peer to verify that the configuration matches what is documented. If IPSec or ISAKMP policies are
not configured correctly, no dynamic tunnel would form between Hub and Spoke3.
Based on the output, you can determine that Spoke3 is not configured with an ISAKMP security key.
11. On Spoke3, you should issue the following command to correct the configuration:
13. On Spoke3, you should issue the following commands to bounce the Tunnel 0 interface:
Spoke3(config)#interface tunnel 0
Spoke3(config-if)#shutdown
Spoke3(config-if)#no shutdown
Bouncing the interface is likely necessary to troubleshoot an NHRP client. When a new NHRP NHS
is configured, registration request packets are immediately sent to the server from the client and
will continue to be sent for as long as the NHS does not reply. The retransmission interval doubles
every attempt; therefore, depending on how long IPSec and ISAKMP were misconfigured while you
were troubleshooting this problem, you may be waiting for a few minutes before you see a correctly
configured DMVPN session come UP. Cycling the enabled state of the tunnel interface will reset the
NHRP process running for this interface, including the NHRP request timer for each NHRP NHS
configured. Making changes to IPSec and ISAKMP does not reset the NHRP process.
14. On Spoke3, you could additionally issue the following commands to verify IPSec and ISAKMP
SAs with Hub. If no SAs are displayed, a problem might still exist with either IPSec or ISAKMP
configuration.
Based on the output, you can determine that a secure IPSec and ISAKMP session exists with Hub
(69.45.128.28).
Spoke3#show dmvpn
<output omitted>
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 69.45.128.28 10.0.0.1 UP 00:00:37 S
The peer and state displayed indicate that Spoke3 has formed a dynamic tunnel with Hub.
16. On Spoke3, you should issue a ping to Hub (10.1.0.1), Spoke1 (10.2.0.1), and Spoke2 (10.3.0.1) to
verify that Spoke3 has IP connectivity with all offices.
Spoke3#ping 10.1.0.1
Spoke3#ping 10.2.0.1
Spoke3#ping 10.3.0.1
All three pings should succeed. You have completed this ticket successfully.
You should create a troubleshooting and verification plan before attempting to correct the problem. There
are several possible solutions to this task; this lab documents only one.
1. The first thing you should do is attempt to verify that the reported problem exists. On Spoke1, you
should issue the following command to observe the path traffic takes from Spoke1 to Spoke2:
Spoke1#traceroute 10.3.0.1
Based on the output displayed, you can determine that traffic unnecessarily traverses Hub
(10.0.0.1).
Spoke1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B – BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E – EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route
Based on the output displayed, you can determine that the next hop address for the 10.3.0.0/25
network is Hub (10.0.0.1).
3. On Spoke1, you should issue the following command to display the EIGRP topology table for
the 10.3.0.0/25 route. If the next-hop address advertised by Hub is incorrect, then the DMVPN
configuration might not be configured correctly on Hub.
Based on the output displayed, you can determine that Hub is advertising itself (10.0.0.1) to Spoke1
for the 10.3.0.0/25 network.
Based on the output, you can determine that Hub is configured to use its own Tunnel 0 interface as
the next-hop value for EIGRP AS 100. By default, an EIGRP interface is configured to use itself as
the next-hop value even when EIGRP is advertising outbound routes through the same interface on
which the routes were received.
5. You should issue the following commands on Hub to correct the configuration:
Hub(config)#interface tunnel 0
Hub(config-if)#no ip next-hop-self eigrp 100
6. After the network has time to converge, you should issue the following command on Spoke1 to
display the EIGRP topology table for the 10.3.0.0/24 route:
Based on the output displayed, Hub is now advertising the next-hop address received (10.0.0.3)
rather than itself.
Spoke1#show ip route
<output omitted>
Based on the output, the changes have fully converged on Spoke1 because 10.0.0.3 is now
displayed as the next-hop address for the 10.3.0.0/25 network instead of 10.0.0.1.
8. On Spoke1, you should issue the following command to verify connectivity and a dynamic tunnel
with Spoke2:
Spoke1#ping 10.3.0.1
9. On Spoke1, you should issue the following command to verify the problem is fixed:
Spoke1#traceroute 10.3.0.1
Based on the results of the traceroute, traffic from Spoke1 to Spoke2 (10.3.0.1) is no longer
traversing Hub. You have completed this ticket successfully.
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.