No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Spoke to Spoke tunnel doesn't go up on AR3G using DSVPN

Publication Date:  2013-02-26  |   Views:  221  |   Downloads:  4  |   Author:  a80026175  |   Document ID:  EKB1000024437

Contents

Issue Description

In a DSVPN topology with 2 Spokes and one Hub, whenever pinging from one Spoke to the other connectivity is full. However when pinging from the host behind Spoke1 to the host behind Spoke2 the tunnels between the 2 Spokes do not go UP.

Alarm Information

[NHRP-Err] NHRP parse extension, Extension Type: 0, stop parse extensions.
[NHRP-Err] NHRP get nat extension CIE fail, the pkt have not the CIE.

Handling Process

First step was the analysis of the configurations. The conclusion was that the DSVPN topology was not symetric: One branch had NHRP tunnel configured and teh other had NHRP/IPSec tunnel configured. Second step was performing changes as to have a succesful configuration: configure a IPSec/IKE tunnel on the other side (Hub to Spoke2). After configuration tests were succesfull.
When configuring DSVPN the default protocol used is NHRP. Optionally you can add a IPSec tunnels (adds a higher security level). In the configuration you sent there was a NHRP and IPSec tunnel configured between Spoke2 and Hub1 and only NHRP between Spoke3 and Hub1. That could have caused the inconsistency in the establishment of the tunnels.

Root Cause

Misconfiguration of the tunnels from Hub towards both Spokes. Tunnel between Spoke1 and HUB is configured with NHRP. Tunnel between Spoke2 and Hub is configured with NHRP/IPSec.

Suggestions

When configuring a DSVPN environment use simetric configurations for branches, for example: both branches use NHRP of both branches use NHRP and IPSec (IPSec is optional in DSVPN)