Solved: Re: DMVPN link failover on physical interface

Peter Valdes · ‎05-28-2009

Hi,

I have just completed my WAN Link failover using route-map and NAT works perfectly fine. The problem I now face is when the primary link goes down and backup is active, the DMVPN tunnel that uses the primary link also goes down which is a problem for our VPN connection to a DMVPN spoke sites.

Is there a way to dynamically get the tunnel to switch to the backup link interface?

Below is the config on the HUB router:

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key abc123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto ipsec profile 123abc

set security-association lifetime seconds 120

set transform-set strong

!

interface Loopback0

description PRIMARY LOOPBACK

ip address x.x.x.1 255.255.255.255

!

interface Loopback1

description BACKUp LOOPBACK

ip address y.y.y.1 255.255.255.255

!

interface Tunnel0

description DMVPN_HUB

ip address 172.31.4.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication abc123

ip nhrp map multicast dynamic

ip nhrp network-id 1

no clns route-cache

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile 123abc

!

interface GigabitEthernet0/0

description PRIMARY WAN LINK

bandwidth 2048

ip address X.X.X.1 255.255.255.252

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip policy route-map NAT-to-ISP1

no ip mroute-cache

load-interval 30

duplex full

speed 100

media-type rj45

no negotiation auto

no cdp enable

!

interface GigabitEthernet0/1

description LINK TO SWITCH STACK

no ip address

no ip mroute-cache

load-interval 30

duplex full

speed 100

media-type rj45

negotiation auto

!

interface GigabitEthernet0/1.500

description SECONDARY WAN LINK

encapsulation dot1Q 500

ip address Y.Y.Y.1 255.255.255.252

ip nat outside

ip virtual-reassembly

ip policy route-map NAT-to-ISP2

no snmp trap link-status

!

ip route 0.0.0.0 0.0.0.0 X.X.X.2 name DEFAULT-ROUTE-ISP

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.2 200 name SECONDARY-DEFAULT-ROUTE-ISP

ip route 10.30.4.0 255.255.252.0 172.31.4.2 name 10-ADDRESS-RANGES

!

ip nat pool bkc x.x.x.252 x.x.x.254 netmask 255.255.255.0

ip nat inside source route-map NAT-to-ISP1 pool bkc overload

ip nat inside source route-map NAT-to-ISP2 interface GigabitEthernet0/1.500 overload

!

route-map NAT-to-ISP2 permit 10

match ip address NAT_ACL

match interface GigabitEthernet0/1.500

!

route-map NAT-to-ISP1 permit 10

match ip address NAT_ACL

match interface GigabitEthernet0/0

Network 10.30.4.0 255.255.252.0 via 172.31.4.2 DMVPN spoke end is what I want to reach during the failed primary link to be also routed via backup link.

Thanks

Laurent Aubert · ‎06-03-2009

Hi,

The spoke need a static NHRP entry mapping the hub's tunnel address to the hub's NBMA address. It also needs to send multicast traffic to the hub.

int tun1

ip nhrp map 172.31.4.1

ip nhrp map multicast

!

int tun2

ip nhrp map 172.16.1.1

ip nhrp map multicast

!

Here is a complete example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

HTH

Laurent.

View solution in original post

Sam Smiley · ‎05-29-2009

A better solution is to add a backup DMVPN hub in the same physical location as the primary. This will give you the failover that you are looking for. The cost of the route on the spoke will be dependant on the bandwith command on each tunnel Attached is a PDF file describing the installation.

Cheers,

Sam

Laurent Aubert · ‎05-29-2009

Hi,

I think it's not working because your tunnel source IP address (loopback 0) is part of ISP1 public range. This address can't be reached via ISP2.

The solution, as already explained in the previous post, is to have two tunnels T1 and T2. T1 is using a source address from ISP1 and T2 a source address from ISP2.

On each remote site, you add a new tunnel pointing to T2 and play with the IGP running inside the tunnel to decide which one is the primary path.

HTH

Laurent.

Peter Valdes · ‎05-31-2009

Thanks guys for the reply, I'll check out the document now.

Also, we are not running IGP at the moment cause our network right now only consist of 2 sites (hub and spoke) but we are expecting to grow to a max of 5 in a couple of years hence why we decided to use static routing. Per spoke sites, we will only have 10.x.x.x/23 and no other routes.

Peter Valdes · ‎05-31-2009

BTW, the doco states multiple HUBs as well as the post above. In my case I only have 1x HUB but with 2x Internet links (2x ISPs). Any other solution I can use?

Thanks

Laurent Aubert · ‎06-01-2009

In your case, you need one HUB with two tunnel interfaces (one routed per ISP) and you need an IGP inside the tunnels or you will not be able to detect the HUB lost his primary link.

If you want to keep one tunnel interface, you need both links pointed to the same ISP.

HTH

Laurent.

Peter Valdes · ‎06-01-2009

Hi laaubert,

Thanks, I will try your solution and let you know.

So far I have EIGRP running on the one DMVPN tunnel1 (Hub/Spoke). I will have to create another DMVPN tunnel2 on both Hub/Spoke and apply the same EIGRP AS.

Let me know if I have miss anything.

Thanks

Peter

Peter Valdes · ‎06-02-2009

Hi,

I may have missed something on my config. Exactly the same as posted above but with 2x DMVPN tunnel on both hub and spoke to the one physical router. I'm also running 1 EIGRP AS on both tunnels.

show ip nhrp

outputs shows incomplete on the backup tunnel.

HUB

interface Tunnel0

description DMVPN_HUB_PRIMARY

bandwidth 1000

ip address 172.31.4.1 255.255.255.0

no ip redirects

ip mtu 1440

no ip next-hop-self eigrp 100

ip nhrp authentication s3rvc0rp

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 300

no ip split-horizon eigrp 100

no clns route-cache

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 25052412

tunnel protection ipsec profile cisco

!

interface Tunnel1

description TUNNEL BACKUP

ip address 172.16.1.1 255.255.255.0

bandwidth 1000

no ip redirects

ip mtu 1440

no ip next-hop-self eigrp 100

ip nhrp authentication (private)

ip nhrp map multicast dynamic

ip nhrp network-id 2

ip nhrp holdtime 300

no ip split-horizon eigrp 100

no clns route-cache

tunnel source GigabitEthernet0/1.500

tunnel mode gre multipoint

tunnel key 91178

!

router eigrp 100

network 10.30.0.0 0.0.0.255

network 10.30.2.0 0.0.0.255

network 172.31.4.0 0.0.0.255

network 172.16.1.0 0.0.0.255

no auto-summary

neighbor 172.31.4.2 Tunnel0

neighbor 172.16.1.2 Tunnel1

SPOKE

interface Tunnel1

description DMVPN_SPOKE_PRIMARY

bandwidth 1000

ip address 172.31.4.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication (private)

ip nhrp map 172.31.4.1 (private)

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 172.31.4.1

ip nhrp registration no-unique

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 25052412

tunnel protection ipsec profile (private)

!

interface Tunnel2

description TUNNEL BACKUP

ip address 172.16.1.2 255.255.255.0

bandwidth 1000

no ip redirects

ip mtu 1440

ip nhrp authentication (private)

ip nhrp map 172.16.1.1 (private)

ip nhrp network-id 2

ip nhrp holdtime 300

ip nhrp nhs 172.16.1.1

ip nhrp registration no-unique

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 91178

!

router eigrp 100

network 10.30.4.0 0.0.0.255

network 10.30.6.0 0.0.0.255

network 172.31.4.0 0.0.0.255

network 172.16.1.0 0.0.0.255

no auto-summary

neighbor 172.31.4.1 Tunnel1

neighbor 172.16.1.1 Tunnel2

Any ideas?

Laurent Aubert · ‎06-03-2009

Hi,

The spoke need a static NHRP entry mapping the hub's tunnel address to the hub's NBMA address. It also needs to send multicast traffic to the hub.

int tun1

ip nhrp map 172.31.4.1

ip nhrp map multicast

!

int tun2

ip nhrp map 172.16.1.1

ip nhrp map multicast

!

Here is a complete example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

HTH

Laurent.

Peter Valdes · ‎06-03-2009

Thanks Laurent, that works now.

Cheers.

Peter

Peter Valdes · ‎06-03-2009

Hi,

Attached Network diagram and config for both HUB/SPOKE routers.

Traffic from SPOKE to HUB goes via the Primary Link marked in red which is what i want. But if traffic from SPOKE to the MPLS network, it takes the backup path marked in green. This is while the Primary Link at the HUB is still active.

It's not a big problem cause I know I can still get to my servers at all 3 networks and also make a VOIP call as well. DMVPN is only use for management traffic and VOIP.

I tried removing the 2x GLOBAL-10-ADDRESS-RANGES static routes on the SPOKE router and adding network 10.0.0.0 on the HUB under router EIGRP 100 so HUB will send 10.0.0.0 network to SPOKE during update but that didn't work.

I've also covered setting bandwidth and delay on the tunnel interface for EIGRP metric calculations as per attached config.

Any ideas?

Peter Valdes · ‎06-03-2009

Forgot to attached the network diagram.

Laurent Aubert · ‎06-04-2009

Hi,

1- From your spoke configuration, you configured two equal static routes, so CEF is load-balancing the traffic per flow and the secondary tunnel will be chosen for half of your source/destination couples

2- What you want to do is right but you need the redistribute static (plus the metrics settings) command under EIGRP instead of the network statement because the hub used a static route to join 10.0.0.0/16.

The network statement allows you to activate EIGRP on an interface to establish an adjacency.

HTH

Laurent.

Peter Valdes · ‎06-04-2009

Hi Laurent,

All is sorted. Many thanks for your technical advise.

HUB:

router eigrp 100

redistribute static

network 10.30.0.0 0.0.0.255

network 10.30.2.0 0.0.0.255

network 172.16.1.0 0.0.0.255

network 172.31.4.0 0.0.0.255

no auto-summary

neighbor 172.31.4.2 Tunnel0

neighbor 172.16.1.2 Tunnel1

SPOKE:

show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is ISP IP ADDRESS to network 0.0.0.0

D EX 10.0.0.0/8 [170/23311872] via 172.31.4.1, 00:15:20, Tunnel1

C 10.30.4.0/24 is directly connected, GigabitEthernet0/1.998

C 10.30.6.0/24 is directly connected, GigabitEthernet0/1.900

D 10.30.0.0/24 [90/13635840] via 172.31.4.1, 00:15:20, Tunnel1

D 10.30.2.0/24 [90/13635840] via 172.31.4.1, 00:15:20, Tunnel1

S* 0.0.0.0/0 [1/0] via ISP IP ADDRESS

Peter Valdes · ‎06-14-2009

Hi,

After intensive tests of the two links fail-over, so far it is what we want. Backup will activate once the primary link is down.

The problem now is if the primary does go down but on a Layer 3 level, the router will still see this as physical UP, protocol UP. The config applied does not work if this is the case.

Is there an alternate to fixing this?

DMVPN link failover on physical interface

ASA: 冗長機能と、Failoverのトリガー、Health Monitoringについて

Firewall: ASA Failover，FTD HA の 'Negotiation' ステータスについて

回复：【原创】IOS-XE远程连接之四和OpenWrt组DMVPN

IOS XR: Link Fault Signaling(Local Fault、Remote Fault) について

Interface 監視用 OID について

DMVPN link failover on physical interface

ASA: 冗長機能と、Failoverのトリガー、Health Monitoringについて

Firewall: ASA Failover，FTD HA の 'Negotiation' ステータスについて

回复： 【原创】IOS-XE远程连接之四和OpenWrt组DMVPN

IOS XR: Link Fault Signaling(Local Fault、Remote Fault) について

Interface 監視用 OID について

回复：【原创】IOS-XE远程连接之四和OpenWrt组DMVPN