DMVPN Troubleshooting – Spoke Sending Registration Requests But Hub Does Not Receive

bgpciscoroutingtroubleshootingvrf-lite

I have built a topology in GNS3 with five routers with a goal to perform:

1)inter vrf routing with bgp as the routing Protocol between Routers.
2)build DMVPN tunnel on the top of it.

I was successful in the 1st task but stuck with the second one. I have one DMVPN router which is spoke, one R1 which is Hub and a WAN between them. DMVPN router seem to be generating nhrp registration requests but the hub is not receiving the nhrp registration requests. but underlay routing seems to be fine because i can ping from one Router's Public IP to another.

I am attaching the configs of all the Routers in comments and also the Topology I am working on.

I have been stuck on this thing from the past two days. Any help would be appreciated

Thank You in advance!

DMVPN Config

DMVPN#sh run  
Building configuration...  
Current configuration : 2393 bytes  
!  
version 15.2  
service timestamps debug datetime msec  
service timestamps log datetime msec  
!  
hostname DMVPN  
!  
boot-start-marker  
boot-end-marker  
!  
!  
!  
no aaa new-model  
no ip icmp rate-limit unreachable    
ip cef  
!  
ip vrf spoke1  
 rd 65000:1  
!    
no ip domain lookup    
no ipv6 cef    
!  
!  
multilink bundle-name authenticated  
!
!  
!  
!  
ip tcp synwait-time 5  
!  

!  
!  
!  
!  
interface Loopback0  
 ip address 1.1.1.1 255.255.255.255  
!  
interface Tunnel0  
 ip vrf forwarding spoke1  
 ip address 192.168.1.1 255.255.255.0  
 no ip redirects  
 ip nhrp authentication DMVPN  
 ip nhrp map multicast 50.50.21.2  
 ip nhrp map 192.168.1.2 50.50.21.2  
 ip nhrp network-id 1  
 ip nhrp nhs 192.168.1.2  
 tunnel source FastEthernet0/0  
 tunnel mode gre multipoint  
!  
interface FastEthernet0/0  
 ip vrf forwarding spoke1  
 ip address 50.50.1.2 255.255.255.0  
 duplex full  
!  
interface FastEthernet1/0  
 no ip address  
 speed auto  
 duplex auto  
!  
interface FastEthernet1/1  
 no ip address  
 shutdown  
 speed auto  
 duplex auto  
!  
interface FastEthernet2/0  
 ip vrf forwarding spoke1  
 ip address 172.16.1.10 255.255.255.0 
 speed auto  
 duplex auto  
!  
!  
!  
router bgp 5000  
 bgp log-neighbor-changes  
 !  
 address-family ipv4 vrf spoke1  
  network 172.16.1.0 mask 255.255.255.0  
  neighbor 50.50.1.1 remote-as 5001  
  neighbor 50.50.1.1 activate  
 exit-address-family  
!  
!  
ip forward-protocol nd   
!  
!  
no ip http server  
no ip http secure-server  
!  
!  
!  
!  
control-plane  
! 
line con 0  
 exec-timeout 0 0  
 privilege level 15  
 logging synchronous  
 stopbits 1  
line aux 0  
 exec-timeout 0 0  
 privilege level 15  
 logging synchronous  
 stopbits 1  
line vty 0 4  
 login  
!  
!  
end

R1 config:

R1#sh run  
Building configuration...  

Current configuration : 2234 bytes 
!  
version 15.2  
service timestamps debug datetime msec  
service timestamps log datetime msec  
!  
hostname R1  
! 
boot-start-marker  
boot-end-marker  
!  
!  
! 
no aaa new-model 
no ip icmp rate-limit unreachable  
ip cef 
! 
ip vrf hub 
 rd 65000:2 
!
!  
!  
!  
!  
!  
no ip domain lookup  
no ipv6 cef  
!  
!  
multilink bundle-name authenticated  
!
!  
!  
ip tcp synwait-time 5  
!
!
!
!
!  
!  
!  
!  
!  
!  
!  
!  
interface Loopback1  
 ip address 5.5.5.5 255.255.255.255  
!  
interface Tunnel0  
 ip vrf forwarding hub  
 ip address 192.168.1.2 255.255.255.0  
 no ip redirects  
 ip nhrp authentication DMVPN  
 ip nhrp map multicast dynamic  
 ip nhrp network-id 1  
 tunnel source FastEthernet1/0  
 tunnel mode gre multipoint  
!  
interface FastEthernet1/0  
 ip vrf forwarding hub  
 ip address 50.50.21.2 255.255.255.0  
 speed auto  
 duplex auto  
!  
interface FastEthernet1/1  
 ip vrf forwarding hub  
 ip address 172.16.21.10 255.255.255.0  
 speed auto  
 duplex auto  
!  
!  
!  
router bgp 5002  
 bgp log-neighbor-changes  
 ! 
 address-family ipv4 vrf hub  
  bgp router-id 3.3.3.3  
  network 172.16.21.0 mask 255.255.255.0  
  neighbor 50.50.21.1 remote-as 5001  
  neighbor 50.50.21.1 activate  
 exit-address-family  
!  
!  
ip forward-protocol nd  
!  
!  
no ip http server  
no ip http secure-server  
!  
!  
!  
!  
control-plane  
! 
line con 0  
 exec-timeout 0 0  
 privilege level 15  
 logging synchronous  
 stopbits 1  
line aux 0  
 exec-timeout 0 0  
 privilege level 15  
 logging synchronous  
 stopbits 1  
line vty 0 4  
 login  
!  
!  
end 




WAN#sh run
Building configuration...

Current configuration : 2431 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname WAN
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf hub
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:1
!
ip vrf spoke1
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:2
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip vrf forwarding spoke1
 ip address 4.4.4.4 255.255.255.255
 shutdown
!
interface Loopback2
 ip vrf forwarding hub
 ip address 5.5.5.5 255.255.255.255
 shutdown
!
interface FastEthernet0/0
 ip vrf forwarding spoke1
 ip address 50.50.1.1 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 ip vrf forwarding hub
 ip address 50.50.21.1 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet2/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet4/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet4/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface GigabitEthernet5/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet6/0
 no ip address
 shutdown
 negotiation auto
!
router bgp 5001
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf hub
  redistribute connected
  neighbor 50.50.21.2 remote-as 5002
  neighbor 50.50.21.2 activate
 exit-address-family
 !
 address-family ipv4 vrf spoke1
  redistribute connected
  neighbor 50.50.1.2 remote-as 5000
  neighbor 50.50.1.2 activate
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

WAN Config

WAN#sh run
Building configuration...

Current configuration : 2431 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname WAN
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf hub
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:1
!
ip vrf spoke1
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:2
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip vrf forwarding spoke1
 ip address 4.4.4.4 255.255.255.255
 shutdown
!
interface Loopback2
 ip vrf forwarding hub
 ip address 5.5.5.5 255.255.255.255
 shutdown
!
interface FastEthernet0/0
 ip vrf forwarding spoke1
 ip address 50.50.1.1 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 ip vrf forwarding hub
 ip address 50.50.21.1 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet2/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet4/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet4/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface GigabitEthernet5/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet6/0
 no ip address
 shutdown
 negotiation auto
!
router bgp 5001
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf hub
  redistribute connected
  neighbor 50.50.21.2 remote-as 5002
  neighbor 50.50.21.2 activate
 exit-address-family
 !
 address-family ipv4 vrf spoke1
  redistribute connected
  neighbor 50.50.1.2 remote-as 5000
  neighbor 50.50.1.2 activate
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

Best Answer

You are running DMVPN on a VRF enabled device. Both your public interface (used as tunnel source) and your tunnel endpoint is VRF enabled.

To have the tunnel endpoint in a VRF, you need to enable VRF forwarding on the tunnel interface, which you have done.

To have the tunnel source in a VRF (called frontdoor VRF), you need two things:

The tunnel source interface needs to have VRF forwarding enabled
You need tunnel vrf spoke1 under the tunnel, to instruct the tunnel to use the specified VRF

On R1 and DMVPN, add the following configuration:

int tun 0 tunnel vrf spoke1

You can get additional information on frontdoor VRFs for example on this blog post.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Routing – Split Horizon will not disable on interface

Try adding this command to your tunnel interface. Your spokes are receiving routes with the next-hop as the hub router without it.

no ip next-hop-self eigrp 1601

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Routing – Split Horizon will not disable on interface

Related Topic