cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1312
Views
4
Helpful
9
Replies

DMVPN: Multiple physical interfaces on spoke

eirikalim
Level 1
Level 1

Hi,

 

I have a scenario were i have to implement a solution which allows for dual ISP redundancy on spoke into dual hubs in a dmvpn environment.

 

I have created two tunnel interfaces, both have tunnel source set at each respective physical interface, the problem is that i can only have one tunnel active at any time, the other will never get past ike phase one and vice versa.

 

If i source both tunnels from one of the physical interfaces, both tunnels comes up, no problem.

 

I have tried using different vrf´s for each tunnel and corresponding phy. Interface. 

 

Any known limitations using 2 physical interfaces in an active/active role at the spoke site?

 

Both hub and spoke running same Denali 16.3.7 release.

 

Kind regards,

 

Eirik

 

 

 

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I understand that tunnel source is different in both Tunnels. What about the destination hub? Do they terminate to the same hub?

Can you share your config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Bryan-N
Level 1
Level 1

I was having this same issue with a 4 tunnel/hub configuration, with dual "outside" connections on the spoke side, two tunnels on each. I was able to determine that at least in my case, it was the shared ipsec profile on the DMVPN.  To share a profile it's mandatory that the source interface and IP are the same.  So all I needed to do is duplicate the ipsec profile so there was one for each pair of tunnels/source interfaces.

This was literally the only result about this issue, so hopefully the next person finds this.

paul.driver
Level 1
Level 1

Hello
Can you confirm what routing process and phase design if running on the dmvpn? 
Possibly share the hub(s) and spoke(s) configuration?

Hello!

I have multiple deployments in which this works as expected. Do you have the same ipsec protection profile applied on both tunnels? As far as I know they have to be different. In some scenarios I also used the front door VRF aproach - to separete the ISP lines and tunnels. 

https://www.networkingwithfish.com/tunnels-and-the-use-of-front-door-vrfs/
https://ttl255.com/dmvpn-and-ipsec-with-front-door-vrf/

BR

****Kindly rate all useful posts*****

It was 5 years ago, the original poster is long gone.  I was just leaving the answer for anyone else that showed up.

Bryan-N
Level 1
Level 1

It's a pretty simple 4 hub (dual hubs at two DCs), 4 net, phase 3, with BGP and bfd.
Actually, I have a reasonably representative copy in my lab.  The only significant change is the southbound eBGP at hubs, so I'm just faking the routes.  The DMVPN config itself, and BGP within it, is functionally identical.  I can share a condensed version of the lab (attached).

HUB-B1/2 is one DC hub pair, HUB-S1/2 is the other pair.  Spoke-1 is a spoke with one "outside" link.  Spoke-4 is a spoke with dual "outside" links.  There's no fancy failover, just active-active, I don't care which link is up at any given time.

Hello @Bryan-N ,

thanks for having provided a complete lab setup. It may be helpful for other forum users.

Spoke4 is the one with the most interesting configuration for the original problem of this thread.

Best Regards

Giuseppe

 

Hello @Bryan-N 
Cheers for sharing..

timo-juhani
Cisco Employee
Cisco Employee

Hey all. This is a quite common DMVPN design and configuration question. In most cases the root of the problem lies in using the same NHRP network ID and tunnel key and/or IPSec profile for the tunnels. Fix those and more often than not the issue is solved.

 

Review Cisco Networking for a $25 gift card