Solved: !HUB1!interface Tunnel1

bymc · ‎08-26-2015

Need some help

I created a vmvpn test network of 4 sites: two hubs sites and two spoke site routers. I was able to get the hub to hub (standard GRE tunnel) and the two spoke sites using the tunnel mode gre multipoint configuration. Able to connect and pass EIGRP hub to hub and spoke to hub. but unale to get spoke to spoke to work. Not using any IPsec at this time.

HUB site 1

interface Tunnel1
description DMVPN hub1
bandwidth 10000
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 5 35
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 5
ip nhrp holdtime 600
ip nhrp server-only
ip nhrp redirect
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 5

HUB site 2

interface Tunnel1
description DMVPN hub2
bandwidth 10000
ip address 172.16.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 5 35
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 50
ip nhrp holdtime 600
ip nhrp server-only
ip nhrp redirect
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 50

Spoke A

!
interface Tunnel1
description To Region 5 DMVPN hub 1
bandwidth 10000
ip address 172.21.32.12 255.255.254.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 5 35
ip pim sparse-mode
ip nhrp map multicast 10.0.1.1
ip nhrp map 172.16.1.1 10.0.1.1
ip nhrp network-id 5
ip nhrp holdtime 600
ip nhrp nhs 10.0.1.1
load-interval 30
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 5

!
interface Tunnel2
description To Region 5 DMVPN hub 2
bandwidth 10000
ip address 172.16.2.2 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 5 35
ip pim sparse-mode
ip nhrp map multicast 10.0.2.1
ip nhrp map 172.16.2.1 10.0.2.1
ip nhrp network-id 50
ip nhrp holdtime 600
ip nhrp nhs 172.16.2.1
load-interval 30
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 50

paul driver · ‎08-26-2015

Hello

Looking at that config - I can see you trying to use Phase 3 NHRP and you have eigrp enabled,

Are you advertisieng the mGRE tunnel and private addressing in eigrp?

Also i dont see for phase 3 nhrp:

1) on the hubs - no ip split horizon eigrp xxx
Note: no ip next-hop-self eigrp xxx (is required if not using Phase 3 nrhp)

2) on the spokes - ip nhrp shortcut ( for Phase 3 nrhp)

On the spokes trace route from spoke to spoke and ping then
sh ip nrhp detail

Try that and let me know how you get on?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎08-26-2015

Hello

Looking at that config - I can see you trying to use Phase 3 NHRP and you have eigrp enabled,

Are you advertisieng the mGRE tunnel and private addressing in eigrp?

Also i dont see for phase 3 nhrp:

1) on the hubs - no ip split horizon eigrp xxx
Note: no ip next-hop-self eigrp xxx (is required if not using Phase 3 nrhp)

2) on the spokes - ip nhrp shortcut ( for Phase 3 nrhp)

On the spokes trace route from spoke to spoke and ping then
sh ip nrhp detail

Try that and let me know how you get on?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bymc · ‎08-28-2015

I am advertisieng the mGRE tunnel and private addressing in eigrp

After adding no ip split horizon eigrp xxx and no ip next-hop-self eigrp xxx

DMVPN appears to be working I did add delay 1000 on one spoke tunnel to hub 1 and delay 2000 on the other spoke tunnel to hub 2.

I have not tryed to fail over to the second hub yet.

The only other issue I see is I had to add a specific static route to each router

the IP route 0.0.0.0 0.0.0.0 telco (test cloud RTR) IP address did not work on its own.

Thanks for your help

Byron

bymc · ‎09-18-2015

Paul,

Testing the dual hub and three spoke without IPSEC I can remove one hub from the network and traffic contiues to flow. I was able to take one hub off line as long as I left at least one hub online did not matter which hub.

Testing the dual hub and three spoke with IPSEC running I can remove one hub from the network and traffic will continue as long as the hub is not the hub the spoke to spoke connection used to establish the spoke to spoke connection. When it is the hub used to make the spoke to spoke connection that was taken offline spoke to spoke as well as spoke to hub connectivity stops.

I found other than rebooting all of the routers (Spokes and hubs) the command clear crypto sa on the hub and spoke routers allows router connectivity to re-establish.

How should the IPSEC be configured to prevent this issue. I was hoping that the spoke connection would fail over to the second hub if the first hub fails.

Byron

paul driver · ‎09-18-2015

Hello

Try applying the IP nhrp registration timeout on the hubs = 30 sec

And the registration timeout + 10 seconds and if-state nhrp command on the spokes

See if this helps

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bymc · ‎09-18-2015

So far so good I am running some tests to see if there are any drop outs in connectivity after removing the source hub connection.

I will be streaming traffic and cannot have timeout issues.

The convergance from one hub to the next takes about 30 sec I have not verified but assume due to the IP nhrp registration timeout 30 on the hub tunnel

Thanks

Byron

paul driver · ‎09-18-2015

Hello

Glad to hear this -

Now for then last bit - What fail over rate are you expecting regards a dual dmvpn Ipsec/ Gre tunnel

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bymc · ‎09-21-2015

What I did notice while running a streaming ping about 1% to 2% of the pings will timeout plus the tunnel interface dropped packes status is increasing while pinging or not.

What I was hoping is when/if the selected hub router fails or goes offline the spoke to spoke connection would not notice the failover to the second hub.

nofxcasey · ‎01-21-2016

I would suggest checking out Cisco IWAN.. its failover happens within a second and no dropped connections.

PM me if you would like help with testing that out.

Casey

bymc · ‎09-25-2015

!HUB1
!
interface Tunnel1
description P2P To DMVPN Hub2
bandwidth 10000
ip address 99.1.1.1 255.255.255.252
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip tcp adjust-mss 1328
delay 2000
tunnel source GigabitEthernet0/0
tunnel destination 10.2.2.1
tunnel protection ipsec profile vpnproof
!
interface Tunnel100
description DMVPN Cloud HUB1
bandwidth 10000
ip address 100.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip pim dr-priority 100
ip pim sparse-dense-mode
ip nhrp authentication 100
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp server-only
ip nhrp registration timeout 30
ip nhrp redirect
ip tcp adjust-mss 1328
load-interval 30
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile vpnproof
!
!
ip route 0.0.0.0 0.0.0.0 10.2.2.100
ip route 10.2.2.1 255.255.255.255 10.2.2.100
ip route 11.1.1.1 255.255.255.255 10.2.2.100
ip route 12.1.1.1 255.255.255.255 10.2.2.100
ip route 13.1.1.1 255.255.255.255 10.2.2.100
!
end

!HUB2
!
interface Tunnel1
description P2P To DMVPN Hub1
bandwidth 10000
ip address 99.1.1.2 255.255.255.252
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip tcp adjust-mss 1328
delay 2000
tunnel source GigabitEthernet0/0
tunnel destination 10.2.2.1
tunnel protection ipsec profile vpnproof
!
interface Tunnel100
description DMVPN Cloud HUB2
bandwidth 10000
ip address 100.2.2.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip pim dr-priority 100
ip pim sparse-dense-mode
ip nhrp authentication 200
ip nhrp map multicast dynamic
ip nhrp network-id 200
ip nhrp holdtime 300
ip nhrp server-only
ip nhrp registration timeout 30
ip nhrp redirect
ip tcp adjust-mss 1328
load-interval 30
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile vpnproof
!
!
ip route 0.0.0.0 0.0.0.0 10.2.2.100
ip route 10.1.1.1 255.255.255.255 10.2.2.100
ip route 11.1.1.1 255.255.255.255 10.2.2.100
ip route 12.1.1.1 255.255.255.255 10.2.2.100
ip route 13.1.1.1 255.255.255.255 10.2.2.100
!
end

! spoke 1
!
interface Tunnel1
description hub1-DMVPN Cloud spoke 1
bandwidth 100000
ip address 100.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication 100
ip nhrp map 100.1.1.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 100.1.1.1
ip nhrp registration no-unique
ip nhrp registration timeout 10
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 2000
if-state nhrp
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile vpnproof
!
interface Tunnel2
description hub1-DMVPN Cloud spoke 1
bandwidth 10000
ip address 100.2.2.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication 200
ip nhrp map 100.2.2.1 10.2.2.1
ip nhrp map multicast 10.2.2.1
ip nhrp network-id 200
ip nhrp holdtime 300
ip nhrp nhs 10.2.2.1
ip nhrp registration no-unique
ip nhrp registration timeout 10
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1328
load-interval 30
delay 1500
if-state nhrp
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile vpnproof
!
ip route 0.0.0.0 0.0.0.0 11.1.1.100
ip route 10.1.1.1 255.255.255.255 11.1.1.100
ip route 10.2.2.1 255.255.255.255 11.1.1.100
ip route 12.1.1.1 255.255.255.255 11.1.1.100
ip route 13.1.1.1 255.255.255.255 11.1.1.100
!
end

Please look these DMVPN Dual Hub configurations over.

Hub 2 DMVPN works fine win hub1 DMVPN tunnel at each spoke is shutdown.

When Hub 1 tunnels are enabled the hub 2 tunnels do not pass traffic or enable spoke to spoke connections.

Hub 1 DMVPN tunnels work fine even if hub2 DMVPN tunnels at each spoke are shutdown or not as long as the spoke tunnels prefer HUB 1.

In all cases EIGRP routes are present on each hub and spoke router as long as they have WAN connectivity.

My goal is to have the hub sites located at different regions where each hub will support ther region spoke sites. But can failover to the other Hub if needed.

Byron

DMVPN with dual hub routers