Symptom
Spoke running IOS-XE gets stuck at IKE or NHRP status (as shown under "show dmvpn").
Conditions
- Can occur if the DMVPN hub(s) reloaded.
- Can also occur if an ISP outage occurred at the spoke (potentially, any sort of trigger that would require the spoke to re-establish the VPN tunnel from scratch)
Workaround
In some cases, it was observed that a shut/no shut on the tunnel interface, or,
removing and re-applying the NHRP mapping commands on the spoke tunnel interface fixes the issue.
If these do not help, a reload of the router needs to be performed.
Further Problem Description
To confirm this bug, in the broken state, the following counters can be checked -
show platform hardware qfp active feature ipsec data drop
- Check that the 'OUT_V4_PKT_HIT_IKE_START_SP' counter is incrementing.
show platform software ipsec policy statistics
- Check that the 'NOTIFY RP' counter is NOT incrementing.
