Solved: DMVPN, OSPF, EIGRP, HSRP - Redundant Spokes and Firewalls

Uhlig.Tim · ‎09-03-2018

Dear guys,

Our DMVPN network is built by two Hubs in our HQ and small branches with one or two routers. Sometimes there are firewall(s).

Two networks for DMVPN:

First hub: 10.4.1.0/24

Second hub: 10.5.1.0/24

Branches with just one router are configured with both tunnels, so that we can use the redundancy und HQ side.

Branches with two routers, are configured in an other way:

Router A is just using network 10.4.1.0/24

Router B is just using network 10.5.1.0/24

LAN is observed by HSRP. The trigger is a ping to our HUB A (10.4.1.0).

In case no echo is replied by the HUB, LAN is getting switched over to the backup router by HSRP.

Nothing special so far.

Now I have a branch with two Sophos SG 135 (Active-Passive Cluster). Everything behind the firewall just recognize one device. The active one is copying its configuration to the backup one. Each firewall has its own internet connection.

I use a switch, connecting the first provider via a VLAN to the firewalls and another VLAN for the second provider. The routers are connected via the same switch but a different VLAN (just one).

Users are connected via a VLAN trough the switch to the LAN interface of the firewalls.

Router A is just using DMVPN network 10.4.1.0/24 and the second one 10.5.1.0/24.

Currently we're using EIGRP for DMPVN, so this Branch is re-advertising EIGRP routes to OPSF and vise versa, so that the firewall is able to get the routing information.

The issue is, if router A get disconnected from the switch for example, the traffic is forwarded by the second router and everything is working. But right in the moment, router A is back again, we have routing issues in branches with Sophos firewalls, as the second router announces same networks and the Sophos firewalls re-adervises them.

To solve this behavior, I consider to implement HSRP on the routers' "WAN-interface". So that in case, router A is loosing its connection, the traffic getting switched over from router a to the second one. In case router A is back again, HSRP would switch over the traffic to A again.

For example:

"DMZ" VLAN 4 (172.17.5.0/29)

Firewall: 172.17.5.1

router a phys. 172.17.5.5

router b phys. 172.17.5.6

shared 172.17.5.4

Do you think this would solve the routing issue? I think if the traffic is shifted back to router A, usually no connection should be online on router B, so no routing issue.

Is that possible, or do you guys think, I need to configure both tunnel and networks on both routers and also with HSRP?

I attach a topology to make it easier to understand the setup.

Uhlig.Tim · ‎03-15-2019

Issue has been solved.
It was because of NAT and public ips.
We needed to use two public ip addresses per internet connection to have one NAT session for each router.
Same for backup. So each router have a reserved public ip on each internet connection to built a session to the headquarter hub.
NAT with just one ip per internet connection but two routers, is not possible, as the advertised public ip within the tunnel for dmvpn is used twice.
Now router A uses public ip A of internet connection A and router B uses ip B of internet connection A.
If the internet connection goes down. Sophos forwards the traffic to internet provider B and changes NAT too.
Then Router A uses public ip A of internet connection B and router B uses ip B of internet connection B.

View solution in original post

Uhlig.Tim · ‎03-15-2019

Issue has been solved.
It was because of NAT and public ips.
We needed to use two public ip addresses per internet connection to have one NAT session for each router.
Same for backup. So each router have a reserved public ip on each internet connection to built a session to the headquarter hub.
NAT with just one ip per internet connection but two routers, is not possible, as the advertised public ip within the tunnel for dmvpn is used twice.
Now router A uses public ip A of internet connection A and router B uses ip B of internet connection A.
If the internet connection goes down. Sophos forwards the traffic to internet provider B and changes NAT too.
Then Router A uses public ip A of internet connection B and router B uses ip B of internet connection B.