08-23-2021 01:50 PM
Hello Expert,
I have a router (2811) at head office that is connected to branch office via the internet.
I am using "dmvpn" between the two locations and this works okay.
We have acquired another internet provider at the branch for redundancy I build another dmvpn tunnel at head office, but because we are using the physical interface for the two dmvpn tunnels I would like shared command.
At the Branch office I have two wan interface connect to each internet provider.
I humbly request if anyone can take a look at the attached configs and make any correction where necessary.
Regards
08-23-2021 02:47 PM
Hello,
on the branch (Lethem_test) router, you need to add the 'shared' keyword to both tunnels as well, since you are using the same profile for two tunnels.
tunnel protection ipsec profile CiscoCP_Profile1 shared
Other than that, the configs look ok.
08-23-2021 05:10 PM
Hello Georg,
Thanks for you prompt response, I will modify same and do some testing .
I will update you shortly.
Regards
08-24-2021 07:20 AM
Hello Georg,
I modified the two tunnels on the spoke(Lethem_test) tunnel protection ipsec profile CiscoCP_Profile1 shared
When I tried to enable the secondary wan interface on the spoke router ((Lethem_test) the connection drops.
If I disable the interface the connection is re-established.
I would like to have both wan interface and both tunnels up on the spoke to allow a failover if one IPS service is disrupted.
Unsure what is causing the issue.
Regards
08-24-2021 09:29 AM
Hello @jomo frank ,
have you added
tunnel key <value>
with a different value within each tunnel ?
Hope to help
Giuseppe
08-24-2021 10:50 AM
Hello Giuseppe,
I added a tunnel valve but I do not have a different value for each tunnel
Head office (Hub) Lethem (Spoke)
--------------------- ----------------------
Tunnel 0 tunnel key 100000 tunnel key 100000
Tunnel 1 tunnel key 110000 tunnel key 110000
This are extracts from the current configuration , should I make each tunnel key unique?
Regards
08-24-2021 02:37 PM
Hello @jomo frank ,
>> his are extracts from the current configuration , should I make each tunnel key unique?
on a single node for sure it is a way to demultiplex packets for dffierent tunnels with same source/destination external addresses.
You should be fine from this point of view.
Hope to help
Giuseppe
08-25-2021 11:14 AM
Hello Guiseppe,
I will try unique tunnel key for each tunnel.
Regards
08-25-2021 07:42 PM
Hello Giuseppe,
I tried putting a unique tunnel key for each tunnel, when I enable the secondary wan interface on the Lethem router no eigrp adjacency is establish and the connection is lost.
I notice when the secondary. wan interface (lethem) is enable they are two default route showing in the routing table.
Unsure if this reason for the connection lost when ever the secondary wan interface is enabled
Regards
08-26-2021 08:47 AM
Hello @jomo frank ,
>> I notice when the secondary. wan interface (lethem) is enable they are two default route showing in the routing table.
>> I tried putting a unique tunnel key for each tunnel, when I enable the secondary wan interface on the Lethem router no eigrp adjacency is establish and the connection is lost.
You should at least have host static routes for the public IP addresses of the HUBs one with exit WAN1 and one with exit WAN2.
The default routes should be learned in EIGRP over tunnels if you want to have a centralized exit to the internet or you need to handle it in some way ( probably using two different Front VRFs could be a solution ie having WAN1 and WAN2 in two different VRFs so that the two default routes wll not be used in load sharing)
Clearly the two default static routes can be a problem if the wrong WAN interface and source IP address is used to attempt to reach the HUB on VPN
Hope to help
Giuseppe
08-24-2021 04:44 PM - edited 08-26-2021 03:45 AM
...
08-24-2021 06:59 PM
If you get a chance post the system logs when you attempted to enable the secondary link and the connection dropped.
08-26-2021 03:47 AM
according to your post,
there are two default route, then you need
Front-door VRF for each tunnel source interface and global for tunnel interface itself.
NOTE:- please remove IPSec to check if the IPSec or routing is issue.
08-26-2021 05:26 AM
Hello MHM,
Never use Front-door VR not sure how to configure same .
Regards
08-26-2021 05:35 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: