A network engineer is troubleshooting a DMVPN phase 2 hub-and-spoke deployment. The hub router has mGRE and NHRP configured, and spokes register successfully. However, spoke-to-spoke traffic is not being encrypted, even though IPsec profiles are applied to the mGRE tunnel interface on both the hub and spokes. The engineer verifies that the crypto map is not applied to the tunnel interface. What is the most likely cause of this issue?
Trap 1: The NHRP authentication string does not match between the hub and…
Incorrect because NHRP authentication mismatch would prevent registration, but the spokes are registered.
Trap 2: The tunnel key is not configured on the spokes.
Incorrect because the tunnel key is used for mGRE, not IPsec; missing tunnel key would prevent tunnel establishment.
Trap 3: The spokes have a static crypto map applied to their physical…
Incorrect because static crypto maps on physical interfaces are not used in DMVPN; the IPsec profile is applied to the tunnel interface.
- A
The NHRP authentication string does not match between the hub and spokes.
Why wrong: Incorrect because NHRP authentication mismatch would prevent registration, but the spokes are registered.
- B
The IPsec profile is not applied to the mGRE tunnel interface on the hub and spokes.
Correct because DMVPN phase 2 requires the IPsec profile to be applied to the tunnel interface to protect spoke-to-spoke traffic.
- C
The tunnel key is not configured on the spokes.
Why wrong: Incorrect because the tunnel key is used for mGRE, not IPsec; missing tunnel key would prevent tunnel establishment.
- D
The spokes have a static crypto map applied to their physical interface.
Why wrong: Incorrect because static crypto maps on physical interfaces are not used in DMVPN; the IPsec profile is applied to the tunnel interface.