Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
267
Views
0
Helpful
0
Replies
Alex.Robins
Alex.Robins Beginner
Beginner
‎03-29-2017 11:51 AM
‎03-29-2017 11:51 AM

Help!?, IP CEF (Dual Wan with OER) Breaks IPSEC VTI Tunnels and EIGRP.

Hello All,

I have a very weird but also very frustrating issue going on right now.

My current home WAN Setup involves a single 1921 with 2x HWIC1-ADSL Cards installed running OER for Wan Balancing.
The OER and WAN balancing side of things works very well and doesn't give us the issue that GLBP on 2 Routers that i was running before did, which was breaking sessions by changing the default route without being session aware. (Old Setup was 1921 + 1941 running GLBP with 1x HWIC1-ADSL Each).

This new setup however, has brought along its own problems which are just as much if not more infuriating than what GLBP was doing.

So, as part of a Group Project for my Network Security degree with 3 other friends, we have multiple IPSEC VTI Tunnels between our routers, and we use EIGRP for dynamic routing, each person has 2 tunnels from their wan router to 2x other people for redundancy, and over this our Labs and servers are able to communicate.

My Setup however is a bit different because i have 2x WAN Connections, so i have 2x tunnels per WAN Connection and here is where the trouble starts.

When i cold start the router i will typically only get 2 out of 4 tunnels to come up, either one to each Peer (HUB A, and HUB B) each on 1 WAN line, or 2 tunnels out one line and none out the other, and its totally random, sometimes 3 will come up. Now here comes the interesting bit...... If i turn off IP CEF, they ALL COME UP and Form EIGRP Adjacency normally, and if i turn IP CEF back on, then over 5 - 10 minutes a couple will fail and drop.

It should be noted that when a tunnel refuses to come up, the Peer router CAN NOT be Pinged from the respective wan interface (but often can on the other wan interface).

Tunnel 9004 goes to HUB A, from WAN A (Dialer 0)
Tunnel 9006 goes to HUB B, from WAN A (Dialer 0)
Tunnel 92004 goes to HUB A, from WAN B (Dialer 1)
Tunnel 92006 goes to HUB B, from WAN B (Dialer 1)

For example:

on a Cold boot, tunnels 9004 and 92006 Come up but 92004 and 9006 do not.

With the above being the case:

HUB A CAN be Pinged from WAN A, But NOT from WAN B
HUB B CAN Be Pinged from WAN B, But NOT from WAN A

Sometimes as is the case right as im typing this, two tunnels come up, but only one will form EIGRP Adjacency and pass traffic both ways, with the other in a constant New Adjacency / timeout loop leaving me on just 1 working tunnel.

Turning off IP CEF results in Either HUB being Pingable from Either WAN Interface and all tunnels coming up.


I cant however leave IP CEF Disabled because its Required by the OER Load Balancing running on the router, and turning CEF off results in MASSIVE (often 50% or more) Packet drops.


Does anyone know why turning CEF OFF causes ALL the tunnels to come up, and turning it back on (or booting up with it enabled) means that half the tunnels just dont work?

I have attached a sanitised router config as an attachment.
IOS Version is: 

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)

Thanks, 

Alex.

0 Helpful
Reply
Latest Contents
Cisco Digital Network Architecture Center Template Editor To...
Created by Mohamed Alhenawy on 03-28-2020 10:29 AM
0
0
0
0
Cisco Digital Network Architecture Center Tools <Template Editor > In this article, we are going to talk about the Cisco Digital Network Architecture Center Template Editor tool.Cisco DNA Center gives us the flexibility and scalability to confi... view more
Community Live video- Cisco SD-WAN Policies: Leveraging the ...
Created by hiarteag on 03-27-2020 07:46 AM
0
5
0
5
Community Live- Cisco SD-WAN Policies: Leveraging the Full Power of Cisco SD-WAN (Live event - formerly known as Webcast-  Tuesday 24 March, 2020 at 10 am Pacific/ 1 pm Eastern / 6 pm Paris) This event had place on Tuesday 24th, March 2020 at 10hrs P... view more
Cisco 9200L IOS upgrade via USB
Created by gregorypierce1 on 03-26-2020 10:09 AM
7
0
7
0
IS there a way to upgrade the ios on a cisco 9200l switch using a usb drive instead of using a tftp server? If so could someone point me to the article or tell me how this can be done? These switches seem to be more complicated than previous switches. Tha... view more
Firepower 2110 Integration with SD-WAN Design Assistance
Created by gilbert.aispuro1 on 03-26-2020 03:10 AM
0
0
0
0
Hello,I'm needing to integrate the Cisco Firepower 2110 into our Data Center JUST to fulfill Site-to-Site and Remote Access VPN. My SD-WAN ISRs already have FW and IPS running, which is what I want since I have internet breakouts at my branches, so this D... view more
When needed to configure "Spanning-tree vlan X priority"?
Created by getaway51 on 03-24-2020 06:31 PM
3
0
3
0
Hi, Switch 1 and switch 2 connected via trunk. Both configured with new vlan 3.When creating new vlan 3, is it need to include "Spanning-tree vlan 3 priority 8192"- Sw 1 and "Spanning-tree vlan 3 priority 16384"-Sw 2?What will happen for those s... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Software Conformance Survey
Follow our Social Media Channels