Hello Rene,
I run 15.2(4)S5 on 7200. Is it possible to implement P3 if ip nhrp redirect failed ?
% NHRP-WARNING: 'ip nhrp redirect' failed to initialise
I looked up IOS features and Phase 3 seems supported.
thanks
Hello Vitaly
I was looking at the Cisco Feature Navigator and I was unable to find the 15.2(4)S5 IOS software release you mention:
Can you verify the release? Also, once thatâs verified, you can use the Cisco Feature Navigator to verify that Phase 3 is supported. Let us know what you find!
Looking further into it I see that others are having similar problems when attempting to implement a similar lab using GNS3. It can be buggy, so it may be due to GNS3 and not the IOS version itself. Can you attempt it on another platform to verify?
I hope this has been helpful!
Laz
Thanks
I use real routers not GNS3, 7200, 2811,1841, 2921
c7200-advipservicesk9-mz.152-4.S5.bin
P3 DMVPN cant be established. I will try 2921 as a hub.
The P2 config for IPSEC DMVPN (the lessons) does kill my tunnel comms. As soon as I remove IPSEC config statement from the tunnel interface it could have been reestablished with the two spokes I have.
the IPSEC wrapper breaks the membership
Hi Vitaly,
Searching for this error message, it seems itâs related to the IOS version of the 7200 router. Did you have more luck with a more recent IOS version on your 2921?
Rene
Hello Rene,Laz,
In DMVPN phase 3, if spoke 1 wants to send traffic to spoke 2, then spoke1 sends NHRP resolution request to hub and hub sends âNHRP Traffic indicationâ message to the spoke1. But I do not see any information about spoke 2 in the âNHRP Traffic indicationâ message then what is the significance of âNHRP Traffic indicationâ packet ?
Thanks,
Sachin
Thanks,
Sachiin
Hello Sachin
The NHRP Traffic Indication message contains information about the original packet including its IP header which includes the original destination IP address. The purpose of this message is to indicate to the sender (Spoke 1) that the original packet was received, and the NHRP registration/encapsulation has succeeded. In other words, the hub is telling Spoke 1, âIâm ready to route your traffic to this destinations successfully, please continue to send your packetsâ. It doesnât need to send any other info concerning Spoke 2 other than the original destination IP address.
Once the hub receives additional packets for this destination, it can now route them to the destination of Spoke 2.
I hope this has been helpful!
Laz
Hello NetworkLessons Team. I need an explanation about NHRP below:
- ip nhrp shortcut
- ip nhrp network-id
- ip nhrp map
- ip nhrp nhs
- ip nhtp responder
Thanks
Hello Boris
All of these commands are being used in this lesson except for the last one:
Iâll attempt to give you a brief summary of each, but you can also see them in action in the lesson too.
-
ip nhrp shortcut- This command allows the spoke routers to makes changes in the CEF entry when they receive a redirect message from the hub. -
ip nhrp network-id- This command simply enables NHRP on the interface. All NHRP devices within the logical network must be configured with the same network identifier. -
ip nhrp map- This command statically configures the IP-toNBMA address mapping of IP destinations connected to an NBMA network. At least one static mapping is necessary to reach the next-hop server. -
ip nhrp nhs- This command specifies the address of one or more NHRP servers. -
ip nhrp responder- This command is used to designate the primary IP address of the next hop server that an interface will use in NHRP reply packets when the NHRP requestor uses the responder address option.
You can find out more information about these and other NHRP commands at this Cisco documentation.
I hope this has been helpful!
Laz
2 Likes
Hello Laz.
Thanks a lot.
1 Like
Hi Everyone,
I have a question about topology that will involve DMVPN router sitting behind ASA FW. Iâm trying to bring up DMVPN with my friend and my home network is already established with ASA being the first device facing internet with public IP setup on outside interface Gi0. Can some one point me to right direction what needs to be done on my router (spoke) and the ASA to make this work? Maybe some configuration example will be greatâŚ
Understand that at minimum I will need to open ports 500 and 4500 with some ACLâs on the ASA but what next?
Hello Roman
Typically, when running DMVPN behind an ASA firewall, there are several options, two of which suit your situation.
The first involves placing the DMVPN router in the DMZ of your ASA, and assigning it a public address, which means you can filter traffic, but you donât actually have to open specific ports. The other involves having the DMVPN router behind the firewall, in which case you will need to open/forward some ports. From my understanding, it is the second scenario that you require.
For this you must forward ports udp 500 and udp 4500 for nat-t, but also, as per this Cisco documentation, you have the following restrictions:
- For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set.
- If one spoke is behind one NAT device and another different spoke is behind another NAT device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices, then a session initiated between the two spokes cannot be established.
- For best DMVPN functionality, it is recommended that you run the latest Cisco IOS software Release 12.4 mainline,12.4T, or 12.2(18)SXF.
I hope this has been helpful!
Laz
Laz ,
Thanks for your response. The 2nd scenario is something that I would like to eventually implement in my lab. I will go over the Cisco doc. and play with it. Hopefully I will figured out , it will be great opportunity to learn something new. Thanks again to point me in right direction.
-Roman
1 Like
Hi Laz,
In DMVPN Phase 3 when spokes router receive NHRP redirect message then they send NHRP resolution request message so question is here that to whom they send NHRP Resolution Request message, to each other or Hub router ?
Hello Pradyumna
Take a look at this post:
You should find your answer there.
I hope this has been helpful!
Laz
Hi Laz,
I got it but still have a doubt is that post getting NBMA address of spoke 2 through redirect message then why spoke 1 router still sending a NHRP resolution request through Hub to the spoke 2 as you mentioned?
Hello Pradyumna
Yes, it is interesting that when the originating router (spoke 1) receives the redirect message from the HUB, it then sends an NHRP request to the proper spoke (spoke 2). Notice here that the target of the request is not the hub, but the request does traverse the hub. This is because the resolution request travels via the regular IP routing path, which is via the HUB, because the HUB originated the prefix to spoke 2. It is only when spoke 2 responds to the resolution request that it responds directly (not via the HUB). Once spoke 1 receives this, it can then communicate directly with spoke 2.
I hope this has been helpful!
Laz
Ok got it Laz so we can say it will be send two times by spoke 1, first for getting a nbma address of spoke 2 and second for getting a response directly from spoke 2 so they communicate directly, am i rightâŚ
Hello Pradyumna
Yes you got it!! Glad to be of help!
Laz
1 Like
This version dont work either.
HUB(config)#interface tunnel 0
HUB(config-if)#ip nhrp redirect
% NHRP-WARNING: 'ip nhrp redirect' failed to initialise
HUB(config-if)#
HUB(config-if)#do sh ver | i IOS
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S6, RELEASE SOFTWARE (fc1)
NOT WORKING FOR ME.
ANY WORKING IOS CODE PLEASE.
Hello Network J
As Andrew has mentioned in his post, the solution to the problem is to use the M-train image c7200-adventerprisek9-mz.152-4.M6. It seems that you are using the S-train image. Now the S-train image does indeed support this command on real hardware, but for some reason, it doesnât work on GNS3.
This has also been confirmed at this GNS3 forum post.
I hope this has been helpful!
Laz