Solved: DMVPN link failover on physical interface - Page 2

Peter Valdes · ‎05-28-2009

Hi,

I have just completed my WAN Link failover using route-map and NAT works perfectly fine. The problem I now face is when the primary link goes down and backup is active, the DMVPN tunnel that uses the primary link also goes down which is a problem for our VPN connection to a DMVPN spoke sites.

Is there a way to dynamically get the tunnel to switch to the backup link interface?

Below is the config on the HUB router:

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key abc123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto ipsec profile 123abc

set security-association lifetime seconds 120

set transform-set strong

!

interface Loopback0

description PRIMARY LOOPBACK

ip address x.x.x.1 255.255.255.255

!

interface Loopback1

description BACKUp LOOPBACK

ip address y.y.y.1 255.255.255.255

!

interface Tunnel0

description DMVPN_HUB

ip address 172.31.4.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication abc123

ip nhrp map multicast dynamic

ip nhrp network-id 1

no clns route-cache

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile 123abc

!

interface GigabitEthernet0/0

description PRIMARY WAN LINK

bandwidth 2048

ip address X.X.X.1 255.255.255.252

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip policy route-map NAT-to-ISP1

no ip mroute-cache

load-interval 30

duplex full

speed 100

media-type rj45

no negotiation auto

no cdp enable

!

interface GigabitEthernet0/1

description LINK TO SWITCH STACK

no ip address

no ip mroute-cache

load-interval 30

duplex full

speed 100

media-type rj45

negotiation auto

!

interface GigabitEthernet0/1.500

description SECONDARY WAN LINK

encapsulation dot1Q 500

ip address Y.Y.Y.1 255.255.255.252

ip nat outside

ip virtual-reassembly

ip policy route-map NAT-to-ISP2

no snmp trap link-status

!

ip route 0.0.0.0 0.0.0.0 X.X.X.2 name DEFAULT-ROUTE-ISP

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.2 200 name SECONDARY-DEFAULT-ROUTE-ISP

ip route 10.30.4.0 255.255.252.0 172.31.4.2 name 10-ADDRESS-RANGES

!

ip nat pool bkc x.x.x.252 x.x.x.254 netmask 255.255.255.0

ip nat inside source route-map NAT-to-ISP1 pool bkc overload

ip nat inside source route-map NAT-to-ISP2 interface GigabitEthernet0/1.500 overload

!

route-map NAT-to-ISP2 permit 10

match ip address NAT_ACL

match interface GigabitEthernet0/1.500

!

route-map NAT-to-ISP1 permit 10

match ip address NAT_ACL

match interface GigabitEthernet0/0

Network 10.30.4.0 255.255.252.0 via 172.31.4.2 DMVPN spoke end is what I want to reach during the failed primary link to be also routed via backup link.

Thanks

Peter Valdes · ‎06-14-2009

Hi Again,

I actually found this solution:

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Policy Based Routing with the Multiple Tracking Options

The only problem is I'm not running the correct IOS version ((C3825-ADVSECURITYK9-M), Version 12.4(7g)). Does anyone know of alternate solution similar to tracking?

Thanks

Laurent Aubert · ‎06-15-2009

Hi,

If you loose your primary connection, even if the interface on your hub router stays UP, the EIGRP adj inside tunnel 1 will timeout and you should start using the EIGRP routes learned via tunnel 2.

So this case should be covered as well.

HTH

Laurent.

Peter Valdes · ‎06-15-2009

Hi Laurent,

Yes you are correct. Sorry, I should have been more clearer with my new problem.

I have referring to the Internet Link traffic. This thread has definitely fix the VPN solution. I will start a new thread for the Internet traffic problem.

Thanks