cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
208
Views
10
Helpful
7
Replies
Highlighted
Enthusiast

DMVPN - Make EIGRP track crypto status on the hub for the spoke

Hi experts,

When I shutdown the tunnel interface on the spoke, I see the crypto session down message right away on the hub. However, the EIGRP would wait for the holdtime. Apparently, the EIGRP does not care much about the crypto session status. Is there a way to have the EIGRP tracking the crypto session status? I know that I can do passive interface on the spoke side first to minimize the downtime. I am just curious to know if there is another way. Thanks.

 

Sep 6 09:53:04.245 MDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500 f_vrf: SAT Id: 172.19.20.47

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Hello,

 

what you could do is run an EEM script that clears the EIGRP neighbor as soon as that message is logged. Below is an example:

 

event manager applet CLEAR_EIGRP_NEIGHBOR
event syslog pattern "%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip eigrp neighbors 172.19.20.47"

7 REPLIES 7
VIP Advisor

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

how is your hello-interval and hold-time configured ?

 

can you post your tunnel interface config / eigrp config.

 

BB
*** Rate All Helpful Responses ***
Enthusiast

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Thanks. I have 30 for the hello timer and 120 for the hold time. My VPNs are on the LTE or Satellite. I can't use aggressive timers.

VIP Advisor

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Agreed on some of the things required more time to check before you take it down.

 

2 options you need to change the timers.

or suggested a way to use EEM script, this native way of IOS do which is an alternative option.

 

BB
*** Rate All Helpful Responses ***
VIP Mentor

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Hello,

 

what you could do is run an EEM script that clears the EIGRP neighbor as soon as that message is logged. Below is an example:

 

event manager applet CLEAR_EIGRP_NEIGHBOR
event syslog pattern "%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip eigrp neighbors 172.19.20.47"

Enthusiast

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Thanks. Are you suggesting that there is no native way in the IOS? That's what I thought. I just want confirmation.

VIP Mentor

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Hello,

 

the only feature I am aware of in EIGRP that speeds up convergence is LFA, but that is to reroute. If you want to get rid of the EIGRP neighbor altogether, the EEM script is probably your best option.

Enthusiast

Re: DMVPN - Make EIGRP track crypto status on the hub for the spoke

Thanks. I did not know about this EIGRP feature. It might not help in my case as you mentioned. The primary route won't disappear until the neighbor is gone. LFA won't help too much (saving 1 sec when the hold timer is 2 minutes). But this could be useful in other places. Thanks for sharing the information

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards