[c-nsp] DMVPN problem, "NHRP: Encapsulation failed for destination" ...

Stephen Fulton sf at lists.esoteric.ca
Fri Sep 7 06:01:08 EDT 2007 

A minor correction:  When I redacted the details, I changed the tunnel 
key at each side to a different one.  In fact, the keys are identical, 
just not listed as such in my original e-mail.

Thanks to David for pointing that out!

-- Stephen

Stephen Fulton wrote:
> Hi all,
> 
> I've got a set up which has DMVPN working fine with a dozen remote 
> locations, except for one.  The hub is a 2811 running 
> c2800nm-advipservicesk9-mz.124-9.T1.bin, and the problem spoke is an 
> older 1721 running c1700-advipservicesk9-mz.123-23.bin.  Essentially the 
>   tunnel is not coming up between the hub and spoke, and the only clue 
> I've seen in debug nhrp is the following:
> 
> Sep  7 03:31:06.460: NHRP: Attempting to send packet via DEST 128.1.254.4
> Sep  7 03:31:06.460: NHRP: Send Error Indication via Tunnel0, packet 
> size: 94
> Sep  7 03:31:06.460:       src: 128.1.254.1, dst: 128.1.254.4
> Sep  7 03:31:06.460: NHRP: Encapsulation failed for destination 
> 128.1.254.4 out Tunnel0
> 
> The crypto map configuration on the spoke is identical to all the other 
> spokes, which work perfectly.  Mind you, those are more recent routers 
> (2611XM's, 2811's, 1841's etc).
> 
> The spoke is a PPPoE connection, which the static IP configured on 
> Loopback1 and the dialer interface using ip unnumbered Loopback1
> 
> Here's a redacted copy of the tunnel config for both the hub and problem 
> spoke:
> 
> Hub:
> 
> interface Tunnel0
>   description VPN GRE Tunnel Template
>   ip vrf forwarding CUSTOMER-VRF
>   ip address 128.1.254.1 255.255.255.0
>   no ip redirects
>   ip mtu 1400
>   ip nhrp authentication PASSWD12
>   ip nhrp map multicast dynamic
>   ip nhrp network-id 1
>   ip nhrp holdtime 300
>   no ip route-cache cef
>   no ip route-cache
>   no ip mroute-cache
>   ip ospf network broadcast
>   ip ospf priority 255
>   delay 1000
>   keepalive 10 3
>   tunnel source FastEthernet0/0
>   tunnel mode gre multipoint
>   tunnel key 123
>   tunnel protection ipsec profile VPN-PROFILE shared
> 
> 
> Spoke:
> 
> interface Tunnel0
>   ip address 128.1.254.4 255.255.255.0
>   no ip redirects
>   ip mtu 1400
>   ip nhrp authentication PASSWD12
>   ip nhrp map multicast dynamic
>   ip nhrp map 128.1.254.1 1.2.3.4
>   ip nhrp map multicast 1.2.3.4
>   ip nhrp network-id 1
>   ip nhrp holdtime 300
>   ip nhrp nhs 128.1.254.1
>   no ip route-cache cef
>   no ip route-cache
>   no ip mroute-cache
>   ip ospf network broadcast
>   ip ospf mtu-ignore
>   delay 1000
>   keepalive 10 3
>   tunnel source Loopback1
>   tunnel mode gre multipoint
>   tunnel key 0
>   tunnel protection ipsec profile VPN-PROFILE
> 
> 
> Any thoughts?
> 
> -- Stephen.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list