- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- Dual hub dual cloud dmvpn using ospf and HA issue
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 02-21-2013 10:16 PM
Hi all,
I am configuring the DUAL HUB Dual Cloud DMVPN topology using ospf. we have one L2 link and one L3 link at each hub and each brach router have two L2 links and two L3 links for redundancy to achieve HA.
Attached is the configuration of Hubs and a spoke router, the problem i am facing is that
1>The ospf in DMVPN cloud flaps every time the dead timer expires.
2>When the primary Hub is shut down the job is overtaken by secondary hub but when primary hub comes back, the ospf in primary hub does not establish immediately(take long time even an hour).
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Above is the topology diagram and following is the configuration.
HUB 1:-
--------------------------------
--------------------------------
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CUST@#vpn4all address 0.0.0.0
!
!
crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac
!
crypto ipsec profile CUST-PROFILE
set transform-set CUSTSET
!
!
interface Loopback0
description "LOOPBACK"
ip address 192.168.254.254 255.255.255.255
ip ospf 10 area 0
!
interface Tunnel0
description "CUST-L2-TUNNEL"
bandwidth 4000
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 100
ip ospf 10 area 1
tunnel source 172.16.10.20
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
interface Tunnel1
description "CUST-L3-TUNNEL"
bandwidth 3000
ip address 10.10.11.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100001
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 200
ip ospf 10 area 1
tunnel source xxx.xxx.205.142
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
!
interface GigabitEthernet0/0
description "ISP L2"
ip address 172.16.10.20 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "ISP L3"
ip address xxx.xxx.205.142 255.255.255.0
duplex auto
speed auto
!
!
interface Vlan10
description "CUST-BTR-LAN"
ip address 172.16.16.3 255.255.255.248
ip ospf 10 area 0
vrrp 1 ip 172.16.16.1
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 priority 120
vrrp 1 authentication admin123
!
router ospf 10
router-id 192.168.254.254
area 1 stub no-summary
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Vlan10
!
ip forward-protocol nd
!
HUB 2:-
-------------------------------------------
-------------------------------------------
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CUST@#vpn4all address 0.0.0.0
!
!
crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac
!
crypto ipsec profile CUST-PROFILE
set transform-set CUSTSET
!
!
interface Loopback0
description "LOOPBACK"
ip address 192.168.254.253 255.255.255.255
ip ospf 10 area 0
!
interface Tunnel2
description "CUST02-L2-TUNNEL"
bandwidth 2000
ip address 10.10.12.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100002
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 300
ip ospf 10 area 1
tunnel source 172.16.11.20
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
interface Tunnel3
description "CUST02-L3-TUNNEL"
bandwidth 1000
ip address 10.10.13.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100003
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 400
ip ospf 10 area 1
tunnel source xxx.xxx.217.239
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
interface GigabitEthernet0/0
description "ISP L2"
ip address 172.16.11.20 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "ISP L3"
ip address xxx.xxx.217.239 255.255.255.0
duplex auto
speed auto
!
!
interface Vlan10
description "CUST-BTR-LAN"
ip address 172.16.16.4 255.255.255.248
ip ospf 10 area 0
vrrp 1 ip 172.16.16.1
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 priority 110
vrrp 1 authentication admin123
!
router ospf 10
router-id 192.168.254.253
area 1 stub no-summary
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel2
no passive-interface Tunnel3
no passive-interface Vlan10
!
ip forward-protocol nd
!
SPOKE:-
-------------------------------------------------
-------------------------------------------------
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CUST@#vpn4all address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac
!
crypto ipsec profile CUST_PROFILE
set transform-set CUSTSET
!
!
interface Loopback0
description "LOOPBACK"
ip address 192.168.254.246 255.255.255.255
ip ospf 10 area 1
!
interface Tunnel0
description ***L2-Tunnel***
bandwidth 4000
ip address 10.10.10.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.10.1 172.16.10.20
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.10.10.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 100
ip ospf 10 area 1
tunnel source 172.16.10.15
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
interface Tunnel1
description ***L3-Tunnel***
bandwidth 3000
ip address 10.10.11.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.11.1 xxx.xxx.205.142
ip nhrp network-id 100001
ip nhrp holdtime 360
ip nhrp nhs 10.10.11.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 200
ip ospf 10 area 1
tunnel source xxx.xx.43.184
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
interface Tunnel2
description ***L2-Tunnel 2ND***
bandwidth 2000
ip address 10.10.12.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.12.1 172.16.11.20
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 10.10.12.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 300
ip ospf 10 area 1
tunnel source 172.16.11.15
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
interface Tunnel3
description ***L3-Tunnel 2ND***
bandwidth 1000
ip address 10.10.13.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.13.1 xxx.xxx.217.239
ip nhrp network-id 100003
ip nhrp holdtime 360
ip nhrp nhs 10.10.13.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 400
ip ospf 10 area 1
tunnel source xxx.xxx.223.48
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
!
interface GigabitEthernet0/0
description "ISP L2"
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1304
description "ISP L2 1ST"
encapsulation dot1Q 1304
ip address 172.16.10.15 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/0.1305
description "ISP L2 2ND"
encapsulation dot1Q 1305
ip address 172.16.11.15 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1
description "ISP L3"
ip address xxx.xx.43.184 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description description "ISP L3 2ND"
ip address xxx.xxx.223.48 255.255.255.0
duplex auto
speed 100
!
interface GigabitEthernet0/1/0
description "CUSTSID LAN"
switchport access vlan 10
no ip address
!
!
interface Vlan10
description "CUSTSID LAN"
ip address 192.168.143.1 255.255.255.0
ip ospf 10 area 1
!
router ospf 10
router-id 192.168.254.246
area 1 stub no-summary
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Tunnel2
no passive-interface Tunnel3
no passive-interface Vlan10
!
ip forward-protocol nd
!
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi all,
I have identified the ospf flap problem, the reason behind the flap was that the HUBs are not replying multicast hello requested by spoke, which was solved by changing the "ip nhrp map multicast dynamic" at spoke to "ip nhrp map multicast hub-physical-ip-address"
changes made in spoke are:-
!
int tun 0
no ip nhrp map multicast dynamic
ip nhrp map multicast 172.16.10.20
!
int tun 1
no ip nhrp map multicast dynamic
ip nhrp map multicast xxx.xxx.205.142
!
int tun 2
no ip nhrp map multicast dynamic
ip nhrp map multicast 172.16.11.20
!
int tun 3
no ip nhrp map multicast dynamic
ip nhrp map multicast xxx.xxx.217.239
!
But problem 2 is still there, any suggestions and solutions are highly appreciated.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi all,
The problem has been solved now by adding crypto keepalive timer and if-state nhrp at spokes. So finally working configuration as as follows. ENJOY!!!!!
HUB 1:-
--------------------------------
--------------------------------
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CUST@#vpn4all address 0.0.0.0
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CUST-PROFILE
set transform-set CUSTSET
!
!
interface Loopback0
description "LOOPBACK"
ip address 192.168.254.254 255.255.255.255
ip ospf 10 area 0
!
interface Tunnel0
description "CUST-L2-TUNNEL"
bandwidth 4000
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 100
ip ospf 10 area 1
tunnel source 172.16.10.20
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
interface Tunnel1
description "CUST-L3-TUNNEL"
bandwidth 3000
ip address 10.10.11.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100001
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 200
ip ospf 10 area 1
tunnel source xxx.xxx.205.142
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
!
interface GigabitEthernet0/0
description "ISP L2"
ip address 172.16.10.20 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "ISP L3"
ip address xxx.xxx.205.142 255.255.255.0
duplex auto
speed auto
!
!
interface Vlan10
description "CUST-BTR-LAN"
ip address 172.16.16.3 255.255.255.248
ip ospf 10 area 0
vrrp 1 ip 172.16.16.1
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 priority 120
vrrp 1 authentication admin123
!
router ospf 10
router-id 192.168.254.254
area 1 stub no-summary
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Vlan10
!
ip forward-protocol nd
!
HUB 2:-
-------------------------------------------
-------------------------------------------
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CUST@#vpn4all address 0.0.0.0
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CUST-PROFILE
set transform-set CUSTSET
!
!
interface Loopback0
description "LOOPBACK"
ip address 192.168.254.253 255.255.255.255
ip ospf 10 area 0
!
interface Tunnel2
description "CUST02-L2-TUNNEL"
bandwidth 2000
ip address 10.10.12.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100002
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 300
ip ospf 10 area 1
tunnel source 172.16.11.20
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
interface Tunnel3
description "CUST02-L3-TUNNEL"
bandwidth 1000
ip address 10.10.13.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp network-id 100003
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 400
ip ospf 10 area 1
tunnel source xxx.xxx.217.239
tunnel mode gre multipoint
tunnel protection ipsec profile CUST-PROFILE
!
interface GigabitEthernet0/0
description "ISP L2"
ip address 172.16.11.20 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "ISP L3"
ip address xxx.xxx.217.239 255.255.255.0
duplex auto
speed auto
!
!
interface Vlan10
description "CUST-BTR-LAN"
ip address 172.16.16.4 255.255.255.248
ip ospf 10 area 0
vrrp 1 ip 172.16.16.1
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 priority 110
vrrp 1 authentication admin123
!
router ospf 10
router-id 192.168.254.253
area 1 stub no-summary
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel2
no passive-interface Tunnel3
no passive-interface Vlan10
!
ip forward-protocol nd
!
SPOKE:-
-------------------------------------------------
-------------------------------------------------
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CUST@#vpn4all address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CUST_PROFILE
set transform-set CUSTSET
!
!
interface Loopback0
description "LOOPBACK"
ip address 192.168.254.246 255.255.255.255
ip ospf 10 area 1
!
interface Tunnel0
description ***L2-Tunnel***
bandwidth 4000
ip address 10.10.10.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.10.1 172.16.10.20
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.10.10.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 100
ip ospf 10 area 1
if-state nhrp
tunnel source 172.16.10.15
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
interface Tunnel1
description ***L3-Tunnel***
bandwidth 3000
ip address 10.10.11.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.11.1 xxx.xxx.205.142
ip nhrp network-id 100001
ip nhrp holdtime 360
ip nhrp nhs 10.10.11.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 200
ip ospf 10 area 1
if-state nhrp
tunnel source xxx.xx.43.184
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
interface Tunnel2
description ***L2-Tunnel 2ND***
bandwidth 2000
ip address 10.10.12.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.12.1 172.16.11.20
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 10.10.12.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 300
ip ospf 10 area 1
if-state nhrp
tunnel source 172.16.11.15
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
interface Tunnel3
description ***L3-Tunnel 2ND***
bandwidth 1000
ip address 10.10.13.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CUSTVPN
ip nhrp map multicast dynamic
ip nhrp map 10.10.13.1 xxx.xxx.217.239
ip nhrp network-id 100003
ip nhrp holdtime 360
ip nhrp nhs 10.10.13.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf cost 400
ip ospf 10 area 1
if-state nhrp
tunnel source xxx.xxx.223.48
tunnel mode gre multipoint
tunnel protection ipsec profile CUST_PROFILE
!
!
interface GigabitEthernet0/0
description "ISP L2"
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1304
description "ISP L2 1ST"
encapsulation dot1Q 1304
ip address 172.16.10.15 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/0.1305
description "ISP L2 2ND"
encapsulation dot1Q 1305
ip address 172.16.11.15 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1
description "ISP L3"
ip address xxx.xx.43.184 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description description "ISP L3 2ND"
ip address xxx.xxx.223.48 255.255.255.0
duplex auto
speed 100
!
interface GigabitEthernet0/1/0
description "CUSTSID LAN"
switchport access vlan 10
no ip address
!
!
interface Vlan10
description "CUSTSID LAN"
ip address 192.168.143.1 255.255.255.0
ip ospf 10 area 1
!
router ospf 10
router-id 192.168.254.246
area 1 stub no-summary
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Tunnel2
no passive-interface Tunnel3
no passive-interface Vlan10
!
ip forward-protocol nd
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: