BGP w/ DMVPN Failover routing issue

osoriojoe · ‎09-21-2015

I am trying to wrap my head around designing a MPLS network with a DMVPN/mGRE failover solution however it seems im running into a routing issue once I shut down the MPLS interface to test failover. As seen in the topology each branch peers to the telco with eBGP as the primary connection, which is preferred over EIGRP without messing with the metrics due to the AD. All branches have a secondary internet connection which the DMVPN tunnels source, once MPLS fails each branch should be able to communicate over mGRE which uses EIGRP AS 10.

As an example between HQ and Branch 3, when I shut down the MPLS connection on Branch 3, the EIGRP routes are added to the routing table as expected, however I am unable to reach any branches even though I have a route, although one packet may be successful from Branch 3 to HQ... However, when pinging from other branches to Branch 3 everything is successful..

RANCH-3#sh ip route

Gateway of last resort is 100.10.2.1 to network 0.0.0.0

100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 100.10.100.0/24 [1/0] via 100.10.2.1
C 100.10.2.0/30 is directly connected, Serial0/1
D 192.168.10.0/24 [90/310172416] via 172.16.10.1, 00:12:19, Tunnel100 << Route to HQ
C 172.16.10.0 is directly connected, Tunnel100
C 192.168.20.0/24 is directly connected, Loopback10
S* 0.0.0.0/0 [50/0] via 100.10.2.1

BRANCH-3#ping 192.168.10.1
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!....
Success rate is 20 percent (1/5), round-trip min/avg/max = 36/36/36 ms

--------------------

From HQ I am able to reach Branch 3 fine while it is failed over.

HEADQUARTERS#sh ip route

Gateway of last resort is 75.15.1.1 to network 0.0.0.0

100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 100.10.100.0/24 [1/0] via 100.10.1.1
C 100.10.1.0/30 is directly connected, Serial0/1
C 192.168.10.0/24 is directly connected, Loopback10
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.10.0 is directly connected, Tunnel100
D 192.168.20.0/24 [90/310172416] via 172.16.10.1, 00:15:15, Tunnel100 <-- BRANCH 3
75.0.0.0/30 is subnetted, 1 subnets
C 75.15.1.0 is directly connected, Serial0/0
S* 0.0.0.0/0 [1/0] via 75.15.1.1

HEADQUARTERS#ping 192.168.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/26/40 ms

Any suggestions would be greatly appreciated, I have also attached configs.

WILLIAM STEGMAN · ‎09-23-2015

Can you attach the DMVPN hub config?

osoriojoe · ‎09-23-2015

Hi William,

attached is the DMVPN Primary hub config, the secondary is currently not in use.

WILLIAM STEGMAN · ‎09-23-2015

When you run the ping from Branch3, can you use the loopback as the source of that ping and see if you get any different results?

BRANCH-3#ping 192.168.10.1 source 192.168.20.1

osoriojoe · ‎09-23-2015

That worked with no problems... So, im guessing I need to change some things around...

Once MPLS drops the gateway of last resort points to the dmvpn-cloud at 100.10.2.1 and i think this is where my problem is because that router does not know what to do with it. There are only the public IP addresses configured on that router, nothing else.

WILLIAM STEGMAN · ‎09-23-2015

You may not have a problem. You have connectivity between your loopbacks. What other networks do you want the branch sites to be able to communicate with? You would need to make sure that EIGRP is advertising those networks and you wouldn't use the default route for return traffic.

osoriojoe · ‎09-24-2015

I think you are correct. I am just unsure why I need to source from the loopbacks but I don't think this would happen in a real world environment.