Hi Georg,

Attached you'll find the output of all relevant running-config.

Our remote clients are using IR829 routers, building 2 FlexVPN tunnels towards our central ASR router. 

Thanks for your efforts! Let me know if you need additional info.

Hello,

you posted a partial config. Post the full running config (sh run). I don't see a summary route advertised in EIGRP, is that not there, or did you not post that ?

Hi Georg,

I've only included the relevant parts only as our internal security policy does not allow us to share full configs unfortunately, not even with all passwords and keys completely removed.

We do not have a summary route configured on the ASR. As you can see in the attached config we only redistribute one single static route into EIGRP (10.128.0.0/16) to advertise to the remote client on both VPN tunnels. This seems to work properly because the remote client will effectively remove the "primary route" and add the "secondary route" immediately after the EIGRP hold timer expired. You can see the output of this in one of my other posts.

If we look at what happens at the remote site and compare it to the central ASR they both see the EIGRP session going down at exactly the same time, what happens after is different.

REMOTE

At 18:20:05 the hold-time expires which makes the EIGRP neighbor going down, the remote client immediately removes the route on the primary Tu102 and adds a similar route via the secondary Tu101. This works completely as expected.

Feb 24 18:20:05.415 CET: %DUAL-5-NBRCHANGE: EIGRP-IPv4 5: Neighbor 10.127.255.15 (Tunnel102) is down: holding time expired
Feb 24 18:20:05 CET: %HA_EM-6-LOG: RouteMonitor: Type: remove; Network: 10.128.0.0; Mask: 255.255.0.0; Protocol: EIGRP; GW: 10.127.255.15; Interface: Tu102;
Feb 24 18:20:05 CET: %HA_EM-6-LOG: RouteMonitor: Type: add; Network: 10.128.0.0; Mask: 255.255.0.0; Protocol: EIGRP; GW: 10.127.255.14; Interface: Tu101; 

CENTRAL

At 18:20:05 the hold-time also expires at the same time which makes the EIGRP neighbor going down simultaneously with the remote client. However it takes 10 seconds for the ASR to remove these specific /28 routes after the neighborship goes down.

Feb 24 18:20:05.892 CET: %DUAL-5-NBRCHANGE: EIGRP-IPv4 5: Neighbor 172.16.0.231 (Virtual-Access159) is down: holding time expired
Feb 24 18:20:16 CET: %HA_EM-6-LOG: RouteMonitor: Type: remove; Network: 10.0.0.96; Mask: 255.255.255.240; Protocol: EIGRP; GW: 172.16.0.231; Interface: Virtual-Access159;
Feb 24 18:20:16 CET: %HA_EM-6-LOG: RouteMonitor: Type: remove; Network: 10.0.0.192; Mask: 255.255.255.240; Protocol: EIGRP; GW: 172.16.0.231; Interface: Virtual-Access159;
Feb 24 18:20:16 CET: %HA_EM-6-LOG: RouteMonitor: Type: remove; Network: 10.0.0.128; Mask: 255.255.255.240; Protocol: EIGRP; GW: 172.16.0.231; Interface: Virtual-Access159;

The ASR does not have to add a route to its routing table in this case as it already has a /24 active route using the secondary Tu101. All it has to do is remove those /28 routes immediately if the related neighborship goes down.

This is our ASR routing table when both tunnels are active to the remote client:

ASR#show ip route 
D 10.0.0.0/24
 [90/26880256] via 172.16.0.130, 02:16:36, Virtual-Access40 
D 10.0.0.96/28
 [90/26880256] via 172.16.0.128, 00:05:54, Virtual-Access159 
D 10.0.0.128/28
 [90/26880256] via 172.16.0.128, 00:05:54, Virtual-Access159
D 10.0.0.192/28
 [90/26880256] via 172.16.0.128, 00:05:54, Virtual-Access159

 Thanks for your efforts! Let me know if you have any questions.

dpd 10 2 on-demand

are you config DPD under the IKEv2 profile?

Hello
As stated previously eigrp stuck in active (SIA) could be causing the delay so this needs to be clarified.
If it is SIA that’s occurring I believe the best way to negate it is to understand why its occurring and not simply by enabling BFD.

Using the commands should help identify SIA routers having query issues.

sh ip eigrp topology <x.x.x.x >  check for feasible successors
sh ip eigrp topology active

Can the OP confirm the above also if its possible for the spoke rtrs to become eigrp stub rtrs, this will negate the hub rtr from querying them for successors and could decrease the delay they are experiencing.

Hey Paul,

Thanks for your feedback, I think you could be onto something here! First of all our remote clients are not configured as stub unfortunately, while they clearly should have been. If my understanding is correct this means that the DUAL process on our hub router will query all other active neighbors whenever the primary VPN tunnel on just one of our remote clients goes down. 

The remote client will advertise its networks by default in /28 ranges on the primary VPN tunnel, and as a single summary /24 on the secondary VPN tunnel. So when the primary tunnel goes down there are no real feasible successors for these /28 routes and the DUAL process kicks in querying all other remote clients for these specific /28 prefixes.

#show ip eigrp topology 
P 10.0.0.0/28, 1 successors, FD is 26880256
  via 172.16.0.208 (26880256/2816), Virtual-Access56 
P 10.0.0.96/28, 1 successors, FD is 26880256
  via 172.16.0.208 (26880256/2816), Virtual-Access56 
P 10.0.0.128/28, 1 successors, FD is 26880256
  via 172.16.0.208 (26880256/2816), Virtual-Access56 
P 10.0.0.192/28, 1 successors, FD is 26880256
  via 172.16.0.208 (26880256/2816), Virtual-Access56

And effectively, hard to catch in the act but, after the primary tunnel goes down we can briefly see the routes are becoming active and the router is waiting for query replies from some other remote clients:

#show ip eigrp topology active
A 10.0.0.96/28, 0 successors, FD is 26880256
  4 replies, active never, query-origin: Local origin
    Remaining replies:
      via 172.16.0.97, r, Virtual-Access597
      via 172.16.0.232, r, Virtual-Access259
      via 172.16.0.8, r, Virtual-Access379
      via 172.16.0.93, r, Virtual-Access397

Do you know if the DUAL process will effectively have to wait for each reply -before- it removes those specific /28 routes from the active routing table? If this is really the case it explains the "dynamic delay" when removing these routes from our route table before falling back to the existing /24 summary route to the remote client.

Is there any short-term workaround we could implement on the hub router side? I've tried "timers active-time disable", however this has no impact it seems. 

I believe the right way to solve this permanently is to configure all our remote clients as stub, as it should have been from the beginning. However this will be a resource intensive exercise as we have numerous remote clients, so this will be more of a mid to long-term solution unfortunately.

Thanks again for your efforts!

Hello @s.p.r.mario ,

>> Do you know if the DUAL process will effectively have to wait for each reply -before- it removes those specific /28 routes from the active routing table?

Yes it is so and  as noted by you and Paul the root cause of your problem is the fact that the remote routers are not EIGRP stub routers.

Hope to help

Giuseppe