Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3866
Views
12
Helpful
16
Replies

Two dmvpn tunnels on router usng the same Tunnel source interface.

jomo frank
Level 1
Level 1

‎08-23-2021 01:50 PM

Hello Expert,

 

I have a router (2811)  at head office that is connected to branch office via the internet.

I am using "dmvpn" between the two locations and this works okay.

We have acquired another internet provider at the branch for redundancy I build another dmvpn tunnel at head office, but because we are using  the physical interface for the two  dmvpn  tunnels I would like shared command.

At the Branch office I have two wan interface connect to each internet provider.

 

 

I humbly request if anyone can take a look at the attached configs and make any correction where necessary.

 

Regards

Labels:
Preview file
14 KB
Preview file
14 KB
16 Replies 16

Georg Pauwen
VIP
VIP

‎08-23-2021 02:47 PM

Hello,

 

on the branch (Lethem_test) router, you need to add the 'shared' keyword to both tunnels as well, since you are using the same profile for two tunnels.

 

tunnel protection ipsec profile CiscoCP_Profile1 shared

 

Other than that, the configs look ok.

0 Helpful

jomo frank
Level 1
Level 1
In response to Georg Pauwen

‎08-23-2021 05:10 PM

Hello Georg,

 

Thanks for you prompt response, I will modify same and do some testing .

I will update you shortly.

 

Regards

 

 

0 Helpful

jomo frank
Level 1
Level 1
In response to jomo frank

‎08-24-2021 07:20 AM

Hello Georg,

 

I modified the two tunnels on the spoke(Lethem_test)     tunnel protection ipsec profile CiscoCP_Profile1 shared

 

When I tried to enable the secondary wan interface on the spoke router ((Lethem_test) the connection drops.

If I disable the interface the connection is re-established. 

I would like to have both wan interface and both tunnels up on the spoke to allow a failover if one IPS service is disrupted.

Unsure what is causing the issue.

Regards

 

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to jomo frank

‎08-24-2021 09:29 AM

Hello @jomo frank ,

have you added

tunnel key   <value>

 

with a different value within each tunnel ?

 

Hope to help

Giuseppe

 

0 Helpful

jomo frank
Level 1
Level 1
In response to Giuseppe Larosa

‎08-24-2021 10:50 AM

Hello Giuseppe,

 

I added a tunnel valve but I do not have a different value for each tunnel

 

                                   Head office     (Hub)                                                          Lethem (Spoke)

                                 ---------------------                                             ----------------------

 

Tunnel 0                       tunnel key 100000                                                        tunnel key 100000

 

Tunnel 1                       tunnel key 110000                                                         tunnel key 110000

 

This are extracts from the current configuration , should I make each tunnel key unique?

 

Regards

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to jomo frank

‎08-24-2021 02:37 PM

Hello @jomo frank ,

>> his are extracts from the current configuration , should I make each tunnel key unique?

 

on a single node for sure it is a way to demultiplex packets for dffierent tunnels with same source/destination external addresses.

 

You should be fine from this point of view.

 

Hope to help

Giuseppe

 

0 Helpful

jomo frank
Level 1
Level 1
In response to Giuseppe Larosa

‎08-25-2021 11:14 AM

Hello Guiseppe,

 

I will try unique tunnel key for each tunnel.

 

Regards

0 Helpful

jomo frank
Level 1
Level 1
In response to Giuseppe Larosa

‎08-25-2021 07:42 PM

Hello Giuseppe,

 

I tried putting a unique tunnel key for each tunnel, when I enable the secondary wan interface on the Lethem router no eigrp adjacency is establish and the connection is lost.

I notice when the secondary. wan interface  (lethem) is enable they are two default route showing in the routing table.

Unsure if this reason  for the connection lost when ever the secondary wan interface is enabled

 

Regards

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to jomo frank

‎08-26-2021 08:47 AM

Hello @jomo frank ,

>> I notice when the secondary. wan interface (lethem) is enable they are two default route showing in the routing table.

 

>> I tried putting a unique tunnel key for each tunnel, when I enable the secondary wan interface on the Lethem router no eigrp adjacency is establish and the connection is lost.

 

You should at least have host static routes for the public IP addresses of the HUBs one with exit WAN1 and one with exit WAN2.

The default routes should be learned in EIGRP over tunnels if you want to have a centralized exit to the internet or you need to handle it in some way ( probably using two different  Front VRFs could be a solution ie having WAN1 and WAN2 in two different VRFs so that the two default routes wll not be used in load sharing)

 

Clearly the two default static routes can be a problem if the wrong WAN interface and source IP  address is used to attempt to reach the HUB on VPN

 

Hope to help

Giuseppe

 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-24-2021 04:44 PM - edited ‎08-26-2021 03:45 AM

...

0 Helpful

fredrickpettifordff
Level 1
Level 1

‎08-24-2021 06:59 PM

If you get a chance post the system logs when you attempted to enable the secondary link and the connection dropped.

0 Helpful

MHM Cisco World
VIP
VIP

‎08-26-2021 03:47 AM

according to your post, 

there are two default route, then you need 

Front-door VRF for each tunnel source interface and global for tunnel interface itself.

 

NOTE:- please remove IPSec to check if the IPSec or routing is issue.

jomo frank
Level 1
Level 1
In response to MHM Cisco World

‎08-26-2021 05:26 AM

Hello  MHM,

Never use Front-door VR not sure how to configure same .

 

Regards

 

0 Helpful
Customers Also Viewed These Support Documents