Dynamic Multipoint VPN (DMVPN) is a powerful solution for scalable, secure site-to-site communication. However, troubleshooting it can be complex due to its dependency on ISAKMP/IKE policies, IPSec transform sets, and NHRP mappings. Below is a detailed guide on interpreting debug output and related commands to pinpoint common issues.

 

Troubleshooting DMVPN

ISAKMP Policy Mismatches

When debugging with debug crypto isakmp, several errors can indicate a mismatch in ISAKMP/IKE Phase 1 policies between DMVPN peers.

 

Aggressive/Main Mode Failures: If the log shows messages like:

Can not start Aggressive mode, trying Main mode.
Incorrect policy settings. Unable to initiate.

It typically means that the peer’s ISAKMP settings (encryption, hash, group, or authentication method) do not match. Check both configurations for alignment or compatibility.

 

Encryption Algorithm Mismatch:

Encryption algorithm offered does not match policy

This indicates the encryption algorithm proposed by one peer doesn’t match the policy of the other. Verify the encryption setting in your ISAKMP policy (crypto isakmp policy) and ensure both routers agree.

 

Hash Algorithm Mismatch:

Hash algorithm offered does not match policy

This means the hash algorithm (e.g., SHA, MD5) does not match. Confirm that both sides are configured with the same hash value.

 

Diffie-Hellman Group Mismatch:

Diffie-Hellman group offered does not match policy

Check that both routers use the same group (e.g., group 2, group 5). Mismatched groups will prevent tunnel negotiation.

 

Missing Pre-Shared Keys or Certificates

Errors like:

No pre-shared key with 101.1.1.100
No Cert or pre-shared address key

Points to missing or misconfigured pre-shared keys or certificates. Verify your crypto isakmp key statements or PKI setup. If you are using certificates, confirm that the trustpoints and certificates are valid and correctly associated.

 

IPSec Phase 2 Policy Rejection

If you see:

phase 2 SA policy not acceptable

The IPSec transform set does not match between the peers. Ensure that the transform set (crypto ipsec transform-set) configurations, encryption, authentication, and mode, match precisely on both ends.

 

EIGRP/Routing Not Coming Up

Sometimes Phase 1 and Phase 2 complete successfully, but routing protocols like EIGRP fail to establish adjacency or exchange routes. Common causes include:

  • Incorrect Tunnel IP Addresses: Check both sides of the tunnel to rule out mistyped addresses.
  • Tunnel Down or Multicast Not Working: If tunnels appear up but routing doesn’t work, confirm that:
    • ip nhrp multicast is set on the spoke interface.
    • ip nhrp authentication is configured if used.
    • ip nhrp nhs is correctly pointing to the hub.

 

Verifying Phase Status and Configuration with Commands

Below is a set of useful show and debug commands that will help you isolate and verify DMVPN issues:

 

NHRP and Tunnel Mapping

  • show ip nhrp – View NHRP mappings, NBMA addresses, NHS state, and timers.
  • debug nhrp – Deep diagnostics on NHRP traffic.

 

ISAKMP and IPSec

  • show crypto isakmp sa [detail] – See Phase 1 SA status.
  • show crypto ipsec sa – View Phase 2 tunnel status and packet encryption/decryption.
  • show crypto session – Check overall crypto sessions and peers.
  • debug crypto isakmp – Trace IKE negotiations and errors.

 

Tunnel and Routing

  • show adjacency tunnel0 – Show tunnel adjacency states.
  • show adjacency tunnel0 detail – Include Layer 2 info in adjacency.
  • show dmvpn – Basic DMVPN details (limited help).
  • show dmvpn detail – Detailed DMVPN state information.
  • show crypto session inter tunnel0 detail – Insight into tunnel-specific crypto sessions.

 

Route Overrides (NHRP-induced)

  • show ip route next-hop-override x.x.x.x x.x.x.x – Confirm NHRP-added routes with H marker in routing table.

Example output:

[NHO]172.16.99.3

 

PKI (If Using Certificates)

  • show crypto pki server – View the PKI server’s state.
  • show crypto pki certificate – View certificates installed on the router.

 

Final Thoughts

Troubleshooting DMVPN requires methodical validation of ISAKMP Phase 1, IPSec Phase 2, and NHRP mapping. Pay close attention to debug messages—they often tell you exactly what went wrong, whether it’s a mismatched encryption method, missing pre-shared key, or Phase 2 transform disagreement. Leveraging the right show and debug commands can drastically shorten troubleshooting time and improve DMVPN stability.