DMVPN EIGRP routes not passing

acleigrp

I am having a problem with a DMVPN tunnel I recently created. I have done some torubleshooting on this and discovered the tunnel to be up between both sites, but they are not passing any traffic between each other. To create this tunnel I used code from a working tunnel and modified for the needs of this new tunnel. In my research i have not found a configuration example similar to what is configured on my routers. I feel like the problem is with either EIGRP or an access list

Here is the config of the spoke router (Cisco 1921 Running 15.4) that is not passing traffic over the tunnel, internet works.

interface Tunnel0
 bandwidth 10000
 ip unnumbered GigabitEthernet0/1
 tunnel source Cellular0/0/0
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN

router eigrp 1
 network 192.168.154.0
 passive-interface default
 no passive-interface Tunnel0

Here are the results of the show commands EIGRP neighbor and ip access-lists on the Spoke Router that is not passing Traffic

PatonBMCXRou#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
PatonBMCXRou#show ip access-list
Extended IP access list Internet-IN
    10 permit udp any any eq non500-isakmp
    20 permit udp any any eq isakmp (3 matches)
    30 permit esp any any
Extended IP access list InternetIn
Extended IP access list NAT
    10 deny ip 192.168.148.0 0.0.2.255 192.168.154.0 0.0.0.255
    20 deny ip 192.168.152.0 0.0.7.255 192.168.154.0 0.0.0.255
    30 permit ip 192.168.154.0 0.0.0.255 any (11004 matches)
Extended IP access list VPDNSplitTunnel
    10 permit ip 192.168.148.0 0.0.2.255 192.168.154.0 0.0.0.255
    20 permit ip 192.168.152.0 0.0.7.255 192.168.154.0 0.0.0.255
Extended IP access list acl-nat
Extended IP access list acl-static-nat

Here is the config on the spoke router (Cisco 3925 running 15.2) The Port Arthur Tunnel works and I can pass traffic over it. The BMCX one, the tunnel is up but I cannot

interface Tunnel2
 description BMCX
 bandwidth 5000
 no ip address
 delay 100
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN
!
interface Tunnel4
 description Port Arthur
 bandwidth 10000
 ip unnumbered Vlan1
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN

Here are the results of the show commands EIGRP neighbor and ip access-lists on the Hub Router

HouCoreRou#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.31.254.246          Tu0                      11 1d21h      51   582  0  6335
1   172.31.254.251          Tu1                      10 2d00h      80   582  0  12169
2   192.168.153.1           Tu4                      11 6d02h      17   102  0  260
HouCoreRou#show ip access-list
Standard IP access list 10
    10 permit any
Standard IP access list Management
    10 permit (IP Removed), wildcard bits 0.0.0.3
    20 permit 192.168.148.0, wildcard bits 0.0.3.255
    30 permit 192.168.153.0, wildcard bits 0.0.0.255
    40 permit 10.0.8.0, wildcard bits 0.0.3.255
    50 permit 10.0.44.0, wildcard bits 0.0.3.255
    60 permit 192.168.150.0, wildcard bits 0.0.0.255
Extended IP access list InternetIn
    200 permit icmp any any (1143766 matches)
    210 permit udp any any eq non500-isakmp
    220 permit udp any any eq isakmp

Extended IP access list NAT
    10 deny ip 192.168.146.0 0.0.4.255 10.0.12.0 0.0.1.255
    20 deny ip 192.168.146.0 0.0.4.255 10.0.40.0 0.0.3.255
    30 deny ip 192.168.146.0 0.0.4.255 10.0.44.0 0.0.3.255
    40 deny ip 10.0.8.0 0.0.3.255 192.168.146.0 0.0.4.255
    50 deny ip 10.0.8.0 0.0.3.255 10.0.8.0 0.0.3.255
    60 deny ip 10.0.8.0 0.0.3.255 10.0.12.0 0.0.1.255
    70 deny ip 10.0.8.0 0.0.3.255 10.0.40.0 0.0.3.255
    80 deny ip 10.0.8.0 0.0.3.255 10.0.44.0 0.0.3.255
    90 deny ip 10.0.12.0 0.0.1.255 192.168.146.0 0.0.4.255
    100 deny ip 10.0.12.0 0.0.1.255 10.0.8.0 0.0.3.255
    110 deny ip 10.0.12.0 0.0.1.255 10.0.12.0 0.0.1.255
    120 deny ip 10.0.12.0 0.0.1.255 10.0.40.0 0.0.3.255
    130 deny ip 10.0.12.0 0.0.1.255 10.0.44.0 0.0.3.255
    140 deny ip 10.0.40.0 0.0.3.255 192.168.146.0 0.0.4.255
    150 deny ip 10.0.40.0 0.0.3.255 10.0.8.0 0.0.3.255
    160 deny ip 10.0.40.0 0.0.3.255 10.0.12.0 0.0.1.255
    170 deny ip 10.0.40.0 0.0.3.255 10.0.40.0 0.0.3.255
    180 deny ip 10.0.40.0 0.0.3.255 10.0.44.0 0.0.3.255
    190 deny ip 10.0.44.0 0.0.3.255 192.168.146.0 0.0.4.255
    200 deny ip 10.0.44.0 0.0.3.255 10.0.8.0 0.0.3.255
    210 deny ip 10.0.44.0 0.0.3.255 10.0.12.0 0.0.1.255
    220 deny ip 10.0.44.0 0.0.3.255 10.0.40.0 0.0.3.255
    230 deny ip 10.0.44.0 0.0.3.255 10.0.44.0 0.0.3.255
    240 permit ip 192.168.150.0 0.0.1.255 any (20325248 matches)
    250 permit ip 192.168.152.0 0.0.1.255 any
    260 permit ip 192.168.153.0 0.0.0.255 any
    270 permit ip 10.0.8.0 0.0.3.255 any (7381154 matches)
    280 permit ip 10.0.12.0 0.0.1.255 any (430120 matches)
    290 permit ip 10.0.40.0 0.0.3.255 any (672384 matches)
    300 permit ip 10.0.44.0 0.0.3.255 any (2 matches)
    310 deny ip 192.168.146.0 0.0.4.255 192.168.146.0 0.0.4.255
    320 deny ip 192.168.146.0 0.0.4.255 10.0.8.0 0.0.3.255

Extended IP access list VPDNSplitTunnel
    10 permit ip 192.168.150.0 0.0.1.255 192.168.150.0 0.0.1.255
    20 permit ip 192.168.150.0 0.0.1.255 192.168.152.0 0.0.0.255
    30 permit ip 192.168.152.0 0.0.0.255 192.168.150.0 0.0.1.255
    40 permit ip 192.168.152.0 0.0.0.255 192.168.152.0 0.0.0.255
Extended IP access list acl-nat
    10 permit ip object-group og-rfc1918 any
    20 permit ip any object-group og-rfc1918
    30 deny ip object-group og-rfc1918 object-group og-rfc1918
Extended IP access list acl-static-nat
    10 permit ip object-group og-rfc1918 any (12138 matches)
    20 permit ip any object-group og-rfc1918
    30 deny ip object-group og-rfc1918 object-group og-rfc1918

Here is the config of the spoke router (Cisco 1921 Running 15.1) that is passing traffic over the tunnel. This is where i sourced my code for the spoke that is not working

interface Tunnel0
 bandwidth 10000
 ip unnumbered GigabitEthernet0/0
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN

router eigrp 1
 network 192.168.153.0
 passive-interface default
 no passive-interface Tunnel0
 no passive-interface Tunnel1

Here are the results of the show commands EIGRP neighbor and ip access-lists on the Spoke Router that is passing Traffic

PAFiberRou#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.150.1           Tu0               14 6d02h      17   200  0  867
PAFiberRou#show ip access-list
Standard IP access list Management
    10 permit (IP Removed), wildcard bits 0.0.0.3
    20 permit 192.168.150.0, wildcard bits 0.0.0.255 (10 matches)
    30 permit 192.168.153.0, wildcard bits 0.0.0.255
Extended IP access list InternetIn
    10 permit tcp any any eq 22 (38338 matches)
    20 permit udp any any eq isakmp (2885 matches)
    30 permit udp any any eq non500-isakmp (45565572 matches)
    40 permit esp any any (373917919 matches)
Extended IP access list NAT
    10 deny ip 192.168.150.0 0.0.1.255 192.168.153.0 0.0.0.255 (26 matches)
    20 deny ip 192.168.152.0 0.0.7.255 192.168.153.0 0.0.0.255 (2440069 matches)
    30 permit ip 192.168.153.0 0.0.0.255 any (5027871 matches)
Extended IP access list VPDNSplitTunnel
    10 permit ip 192.168.150.0 0.0.1.255 192.168.153.0 0.0.0.255
    20 permit ip 192.168.152.0 0.0.7.255 192.168.153.0 0.0.0.255

Best Answer

The answer was 

IP unnumbered vlan1

on tunnel 2 of the hub

Related Topic