Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
1
Replies

dmvpn backup tunnel for physical interface isp failover not connecting

Marley Brown
Level 1
Level 1

‎03-02-2017 09:08 AM - edited ‎03-05-2019 08:08 AM

Hi,

I have a 2 spoke to hub  DMVPN setup, we are working on getting one spoke setup with 2 ISP's on 2 physical interfaces. I have everything working except the backup tunnel will not connect. I have researched this and followed some examples, but can't get it to work. The back up tunnel seem to flop.

Here are the config for the hub and spoke.

Thanks,

M

HUB

interface Tunnel0
 description Primary tunnel
 bandwidth 100000
 ip address 11.11.11.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 no ip route-cache cef
 ip tcp adjust-mss 1440
 no ip split-horizon eigrp 100
 no clns route-cache
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Tunnel1
 description backup tunnel
 bandwidth 100000
 ip address 11.11.12.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 360
 no ip route-cache cef
 ip tcp adjust-mss 1400
 no ip split-horizon eigrp 100
 delay 1001
 no clns route-cache
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface FastEthernet0
 description  FIBER
 ip address x.x.x.163 255.255.255.248
 ip verify unicast reverse-path
 ip inspect CCP_LOW out
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 duplex auto
 speed auto

router eigrp 100
 redistribute static
 network 10.4.1.0 0.0.0.255
 network 11.11.11.0 0.0.0.255
 network 11.11.12.0 0.0.0.255
 no auto-summary
 neighbor 11.11.11.2 Tunnel0
 neighbor 11.11.11.3 Tunnel0
 neighbor 11.11.12.2 Tunnel1


ip route 0.0.0.0 0.0.0.0 x.x.x.161


SPOKE

interface Tunnel0
 description primary tunnel
 bandwidth 200000
 ip address 11.11.11.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp map 11.11.11.1 x.x.x.163
 ip nhrp map multicast x.x.x.163
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 11.11.11.1
 ip nhrp registration no-unique
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0
 tunnel destination x.x.x.163
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Tunnel1
 bandwidth 24000
 ip address 11.11.12.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp map 11.11.12.1 x.x.x.163
 ip nhrp map multicast x.x.x.163
 ip nhrp network-id 2
 ip nhrp holdtime 360
 ip nhrp nhs 11.11.12.1
 ip nhrp registration no-unique
 ip tcp adjust-mss 1360
 delay 1001
 tunnel source FastEthernet1
 tunnel key 2
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface FastEthernet0
 description $ETH-WAN$
 ip address y.y.y.153 255.255.255.248
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip policy route-map ips1
 duplex auto
 speed auto
 service-policy output CCP-QoS-Policy-1
!
interface FastEthernet1
 ip address z.z.z.185 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 ip policy route-map isp2
 duplex auto
 speed auto
!

router eigrp 100
 redistribute static
 network 10.5.1.0 0.0.0.255
 network 11.11.11.0 0.0.0.255
 network 11.11.12.0 0.0.0.255
 no auto-summary
 neighbor 11.11.11.1 Tunnel0
 neighbor 11.11.12.1 Tunnel1

ip route 0.0.0.0 0.0.0.0 y.y.y.154
ip route 0.0.0.0 0.0.0.0 z.z.z.190 200

ip nat inside source route-map ips2 interface FastEthernet1 overload
ip nat inside source route-map ips1 interface FastEthernet0 overload

access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.0.255


route-map ips2 permit 10
 match ip address 1
 match interface FastEthernet1
!
route-map ips1 permit 10
 match ip address 1
 match interface FastEthernet0

Labels:
0 Helpful
1 Reply 1

Marley Brown
Level 1
Level 1

‎03-02-2017 09:37 AM

 update on the hub:

sh crypto se

doesn't show tunnel1 just tunnel0

sh ip nhrp detail

11.11.12.2/32, Tunnel1 created 00:00:03, expire 00:03:01
  Type: incomplete, Flags: negative
  Cache hits: 3

sh crypto isa sa

doesn't show anything for the ip of isp2 on the spoke

on the spoke

sh crypto se

Interface: Tunnel1
Session status: DOWN-NEGOTIATING
Peer: 50.235.49.163 port 500
  IKE SA: local x.x.x..185/500 remote y.y.y.163/500 Inactive
  IPSEC FLOW: permit 47 host x.x.x.185 host y.y.y.163
        Active SAs: 0, origin: crypto map

sh ip nhrp detail

11.11.12.1/32 via 11.11.12.1
   Tunnel1 created 00:04:58, never expire
   Type: static, Flags:
   NBMA address: y.y.y.163

sh crypto isa sa

dst             src             state          conn-id status
50.235.49.163   x.x.x.153    QM_IDLE           2063 ACTIVE
50.235.49.163   y.y.y.185   MM_NO_STATE          0 ACTIVE
50.235.49.163   y.y.y.   MM_NO_STATE          0 ACTIVE (deleted)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card