Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
10
Helpful
7
Replies

DMVPN - Make EIGRP track crypto status on the hub for the spoke

Go to solution
Difan Zhao
Level 5
Level 5

‎09-06-2019 09:01 AM

Hi experts,

When I shutdown the tunnel interface on the spoke, I see the crypto session down message right away on the hub. However, the EIGRP would wait for the holdtime. Apparently, the EIGRP does not care much about the crypto session status. Is there a way to have the EIGRP tracking the crypto session status? I know that I can do passive interface on the spoke side first to minimize the downtime. I am just curious to know if there is another way. Thanks.

 

Sep 6 09:53:04.245 MDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500 f_vrf: SAT Id: 172.19.20.47

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎09-06-2019 09:55 AM

Hello,

 

what you could do is run an EEM script that clears the EIGRP neighbor as soon as that message is logged. Below is an example:

 

event manager applet CLEAR_EIGRP_NEIGHBOR
event syslog pattern "%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip eigrp neighbors 172.19.20.47"

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-06-2019 09:15 AM

how is your hello-interval and hold-time configured ?

 

can you post your tunnel interface config / eigrp config.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to balaji.bandi

‎09-06-2019 10:56 AM

Thanks. I have 30 for the hello timer and 120 for the hold time. My VPNs are on the LTE or Satellite. I can't use aggressive timers.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Difan Zhao

‎09-06-2019 01:42 PM

Agreed on some of the things required more time to check before you take it down.

 

2 options you need to change the timers.

or suggested a way to use EEM script, this native way of IOS do which is an alternative option.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Georg Pauwen
VIP
VIP

‎09-06-2019 09:55 AM

Hello,

 

what you could do is run an EEM script that clears the EIGRP neighbor as soon as that message is logged. Below is an example:

 

event manager applet CLEAR_EIGRP_NEIGHBOR
event syslog pattern "%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip eigrp neighbors 172.19.20.47"

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Georg Pauwen

‎09-06-2019 10:57 AM

Thanks. Are you suggesting that there is no native way in the IOS? That's what I thought. I just want confirmation.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Difan Zhao

‎09-06-2019 11:35 AM

Hello,

 

the only feature I am aware of in EIGRP that speeds up convergence is LFA, but that is to reroute. If you want to get rid of the EIGRP neighbor altogether, the EEM script is probably your best option.

Go to solution
Difan Zhao
Level 5
Level 5
In response to Georg Pauwen

‎09-06-2019 01:51 PM

Thanks. I did not know about this EIGRP feature. It might not help in my case as you mentioned. The primary route won't disappear until the neighbor is gone. LFA won't help too much (saving 1 sec when the hold timer is 2 minutes). But this could be useful in other places. Thanks for sharing the information

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card