Page MenuHomeVyOS Platform
Create Task
Maniphest T7548

NHRP Hub Fails to Register Spokes After Service
Open, LowPublic
Actions

Description

VyOS 1.4.2

After restarting the NHRP service on the Hub, all connected spokes fail to register. The following error messages are observed:

Hub Log: Peer registration failed: static entry exists

Spoke Log: administratively prohibited

Steps to Reproduce:

Set up a DMVPN topology (1 Hub, multiple Spokes) using NHRP.

Ensure everything is functioning normally.

Restart the NHRP service (or reboot) on the Hub.

Check spoke registration — all fail with the above errors.

Suspected Root Cause:
It appears that OpenNHRP is still relying on the legacy routing cache mechanism, which has been removed from the Linux kernel since version 3.6. Upon service restart, OpenNHRP tries to preload local routes, resulting in conflicts that block new peer registrations.

Example Logs:

lua
複製
編輯
Adding local-route x.x.x.1/32 dev tun0
Adding local-route x.x.x.2/32 dev tun0
Additional Symptoms:

Restarting a Spoke may also fail.

Spoke-to-spoke tunnels cannot establish.

Reference:
Similar report on VyOS forum:
https://forum.vyos.io/t/dmvpn-hub-stops-registering-peers-after-any-nhrp-configuration-modification/10875

Expected Behaviour:

Restarting the Hub NHRP service should not block new spoke registrations.

OpenNHRP should not depend on the deprecated routing cache mechanism.

Details

Version
1.4.2
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

lawrencepan created this task.Jun 13 2025, 8:57 AM
lawrencepan triaged this task as Normal priority.
lawrencepan raised the priority of this task from Normal to Requires assessment.
lawrencepan triaged this task as Urgent! priority.
lawrencepan created this object in space S1 VyOS Public.
Viacheslav subscribed.Jun 13 2025, 11:54 AM

We are moving from legacy OpenNHRP (which is unmaintained) to an FRR solution.
Could you check the rolling release? It uses FRR nhrpd.

lawrencepan added a comment.EditedJun 13 2025, 12:44 PM

Version: VyOS 1.4.2 LTS
Release train: sagitta
Release flavor: generic

set protocols nhrp tunnel tun0 cisco-authentication '1234567'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect

set interfaces tunnel tun0 address 'xx.xx.x.1/24'
set interfaces tunnel tun0 enable-multicast
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip adjust-mss '1400'
set interfaces tunnel tun0 parameters ip key '1234567'
set interfaces tunnel tun0 source-address 100.100.0.1

pasik subscribed.Jun 15 2025, 1:49 PM
Viacheslav lowered the priority of this task from Urgent! to Low.Jun 18 2025, 12:53 AM