Re: DMVPN: Multiple physical interfaces on spoke

eirikalim · ‎02-27-2019

Hi,

I have a scenario were i have to implement a solution which allows for dual ISP redundancy on spoke into dual hubs in a dmvpn environment.

I have created two tunnel interfaces, both have tunnel source set at each respective physical interface, the problem is that i can only have one tunnel active at any time, the other will never get past ike phase one and vice versa.

If i source both tunnels from one of the physical interfaces, both tunnels comes up, no problem.

I have tried using different vrf´s for each tunnel and corresponding phy. Interface.

Any known limitations using 2 physical interfaces in an active/active role at the spoke site?

Both hub and spoke running same Denali 16.3.7 release.

Kind regards,

Eirik

Francesco Molino · ‎02-27-2019

Hi

I understand that tunnel source is different in both Tunnels. What about the destination hub? Do they terminate to the same hub?

Can you share your config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Bryan-N · ‎09-25-2024

I was having this same issue with a 4 tunnel/hub configuration, with dual "outside" connections on the spoke side, two tunnels on each. I was able to determine that at least in my case, it was the shared ipsec profile on the DMVPN. To share a profile it's mandatory that the source interface and IP are the same. So all I needed to do is duplicate the ipsec profile so there was one for each pair of tunnels/source interfaces.

This was literally the only result about this issue, so hopefully the next person finds this.

paul.driver · ‎09-25-2024

Hello
Can you confirm what routing process and phase design if running on the dmvpn?
Possibly share the hub(s) and spoke(s) configuration?

DanielP211 · ‎09-25-2024

Hello!

I have multiple deployments in which this works as expected. Do you have the same ipsec protection profile applied on both tunnels? As far as I know they have to be different. In some scenarios I also used the front door VRF aproach - to separete the ISP lines and tunnels.

https://www.networkingwithfish.com/tunnels-and-the-use-of-front-door-vrfs/
https://ttl255.com/dmvpn-and-ipsec-with-front-door-vrf/

BR

****Kindly rate all useful posts*****

Bryan-N · ‎09-25-2024

It was 5 years ago, the original poster is long gone. I was just leaving the answer for anyone else that showed up.

Bryan-N · ‎09-25-2024

It's a pretty simple 4 hub (dual hubs at two DCs), 4 net, phase 3, with BGP and bfd.
Actually, I have a reasonably representative copy in my lab. The only significant change is the southbound eBGP at hubs, so I'm just faking the routes. The DMVPN config itself, and BGP within it, is functionally identical. I can share a condensed version of the lab (attached).

HUB-B1/2 is one DC hub pair, HUB-S1/2 is the other pair. Spoke-1 is a spoke with one "outside" link. Spoke-4 is a spoke with dual "outside" links. There's no fancy failover, just active-active, I don't care which link is up at any given time.

Giuseppe Larosa · ‎09-25-2024

Hello @Bryan-N ,

thanks for having provided a complete lab setup. It may be helpful for other forum users.

Spoke4 is the one with the most interesting configuration for the original problem of this thread.

Best Regards

Giuseppe

paul.driver · ‎09-25-2024

Hello @Bryan-N
Cheers for sharing..

timo-juhani · ‎09-26-2024

Hey all. This is a quite common DMVPN design and configuration question. In most cases the root of the problem lies in using the same NHRP network ID and tunnel key and/or IPSec profile for the tunnels. Fix those and more often than not the issue is solved.