Summary: Structured approach to diagnosing DMVPN spoke failures on IOS-XE, covering NHRP registration, IPsec/IKE negotiation, routing, and spoke-to-spoke connectivity issues.
Work through these layers in order — most issues resolve at NHRP or crypto before reaching routing.
1. Tunnel interface state → is the tunnel up/up?
2. NHRP registration → has the spoke registered with the hub?
3. IPsec / IKE → is the crypto session established?
4. Routing → are prefixes being received and installed?
5. Traffic / MTU → is traffic actually passing end-to-end?
6. Spoke-to-spoke → are dynamic tunnels forming? (Phase 2/3 only)
show interface tunnel <tunnel-id>
%TUN-5-RECURDOWN in logs → recursive routing loop on tunnel destination — check underlay routing! Confirm tunnel source interface is up
show interface <source-interface>
! Confirm hub is reachable over the underlay
ping <hub-nbma-ip> source <tunnel-source-interface>
show ip nhrp detail
show dmvpn detail
A healthy spoke shows state INTF/USABLE and an NHRP registration entry pointing to the hub.
| State | Meaning |
|---|---|
IKE |
Waiting for IPsec — crypto not yet up |
NHRP |
IPsec up, NHRP registration in progress |
UP |
Fully registered and operational |
INTF |
Tunnel interface issue |
Spoke not registering — common causes:
tunnel interfacetunnel key command differs between hub and spoke)! Verify NHS config on spoke
show running-config interface tunnel <tunnel-id>
! Look for: ip nhrp nhs <hub-tunnel-ip> nbma <hub-nbma-ip> multicast
! Check NHRP authentication
show running-config | include nhrp authentication
⚠️ NHRP Authentication
NHRP authentication keys are set withip nhrp authentication <key>under the tunnel interface. A mismatch silently drops registrations with no obvious error — always verify the key matches on hub and spoke.
show crypto session remote <hub-nbma-ip>
show crypto isakmp sa
show crypto ikev2 sa
show crypto ipsec sa peer <hub-nbma-ip>
MM_NO_STATE or IKE_INIT_SA → proposal mismatch or unreachable hub! Check IKE and IPsec proposals on spoke
show crypto ikev2 proposal
show crypto ipsec transform-set
! Check for NAT between spoke and hub — DMVPN requires NAT-T (UDP 4500)
show crypto isakmp sa detail | include NAT
⚠️ NAT Traversal
If the spoke is behind NAT, ensure NAT-T is enabled (crypto isakmp nat keepalive) and UDP 4500 is permitted through the NAT device. ESP (protocol 50) will not traverse NAT without NAT-T.
! Check routes received from hub
show ip route | include <expected-prefix>
show ip bgp neighbors <hub-tunnel-ip> received-routes
show ip eigrp neighbors
show ip ospf neighbor
! Verify routing protocol is running on the tunnel interface
show running-config interface tunnel <tunnel-id> | include ip router
DMVPN tunnels add overhead — oversized packets are silently dropped if MTU/MSS is not set correctly.
! Test end-to-end with large packet (no fragmentation)
ping <destination> size 1400 df-bit repeat 10 source <tunnel-interface>
! Check interface MTU and TCP MSS clamping
show interface tunnel <tunnel-id> | include MTU
show running-config interface tunnel <tunnel-id> | include mtu|mss
Recommended settings for GRE/IPsec DMVPN:
interface tunnel <tunnel-id>
ip mtu 1400
ip tcp adjust-mss 1360
In Phase 2/3, spokes build direct dynamic tunnels to each other triggered by NHRP resolution. If spoke-to-spoke traffic is routing via the hub instead:
! Check NHRP cache — spoke-to-spoke entry should appear after first traffic
show ip nhrp detail
! Check for NHRP redirect / shortcut entries
show ip cef <spoke-b-tunnel-ip>
show dmvpn detail | include State
ip nhrp shortcut on spoke tunnel interface (Phase 3)! Phase 3 spoke requirements
interface tunnel <tunnel-id>
ip nhrp shortcut
ip nhrp redirect ! Hub only — triggers spoke-to-spoke resolution
Run these on the spoke. Use terminal monitor if connected via SSH.
! NHRP registration and resolution
debug nhrp registration
debug nhrp detail
! IKE negotiation
debug crypto ikev2 error
debug crypto isakmp error
! IPsec
debug crypto ipsec error
! Turn off all crypto debug
undebug all
⚠️ Debug Impact
Crypto debugs on a busy hub can generate significant output and impact performance. Scope to a specific peer where possible, and alwaysundebug allwhen finished.
show dmvpn detail ! Overall DMVPN state
show ip nhrp detail ! NHRP mappings and registration
show crypto session remote <nbma-ip> ! IKE/IPsec session state
show crypto isakmp sa ! IKEv1 SAs
show crypto ikev2 sa ! IKEv2 SAs
show crypto ipsec sa peer <nbma-ip> ! IPsec SAs and counters
show interface tunnel <id> ! Tunnel interface state and stats
show ip route ! Routing table