09-06-2019 09:01 AM
Hi experts,
When I shutdown the tunnel interface on the spoke, I see the crypto session down message right away on the hub. However, the EIGRP would wait for the holdtime. Apparently, the EIGRP does not care much about the crypto session status. Is there a way to have the EIGRP tracking the crypto session status? I know that I can do passive interface on the spoke side first to minimize the downtime. I am just curious to know if there is another way. Thanks.
Sep 6 09:53:04.245 MDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500 f_vrf: SAT Id: 172.19.20.47
Solved! Go to Solution.
09-06-2019 09:55 AM
Hello,
what you could do is run an EEM script that clears the EIGRP neighbor as soon as that message is logged. Below is an example:
event manager applet CLEAR_EIGRP_NEIGHBOR
event syslog pattern "%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip eigrp neighbors 172.19.20.47"
09-06-2019 09:15 AM
how is your hello-interval and hold-time configured ?
can you post your tunnel interface config / eigrp config.
09-06-2019 10:56 AM
Thanks. I have 30 for the hello timer and 120 for the hold time. My VPNs are on the LTE or Satellite. I can't use aggressive timers.
09-06-2019 01:42 PM
Agreed on some of the things required more time to check before you take it down.
2 options you need to change the timers.
or suggested a way to use EEM script, this native way of IOS do which is an alternative option.
09-06-2019 09:55 AM
Hello,
what you could do is run an EEM script that clears the EIGRP neighbor as soon as that message is logged. Below is an example:
event manager applet CLEAR_EIGRP_NEIGHBOR
event syslog pattern "%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 172.19.20.47:500"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip eigrp neighbors 172.19.20.47"
09-06-2019 10:57 AM
Thanks. Are you suggesting that there is no native way in the IOS? That's what I thought. I just want confirmation.
09-06-2019 11:35 AM
Hello,
the only feature I am aware of in EIGRP that speeds up convergence is LFA, but that is to reroute. If you want to get rid of the EIGRP neighbor altogether, the EEM script is probably your best option.
09-06-2019 01:51 PM
Thanks. I did not know about this EIGRP feature. It might not help in my case as you mentioned. The primary route won't disappear until the neighbor is gone. LFA won't help too much (saving 1 sec when the hold timer is 2 minutes). But this could be useful in other places. Thanks for sharing the information
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide