Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4606
Views
5
Helpful
4
Replies

DMVPN with Invalid SPI Recovery / DPD

Go to solution
sebastian.lemke
Level 1
Level 1

‎01-15-2013 02:56 AM - edited ‎02-21-2020 06:37 PM

Dear Experts,

I am currently evaluating a company design for mid-scale DMVPN Phase 2 networks, trying to optimize receovery time after a failure-and-recovery of a DMVPN peer.

1. I just went through a PDF of a Cisco Live Breakout Session from 2011 named "Advanced Concepts of DMVPN - BRK 4052".

It says (without further explanation) that the Invalid SPI Recovery feature is not useful with DMVPN.

Can anybody explain, why?

2. DMVPN implies the use of Tunnel Protection (TP). I read comments which say, that you can't use Dead Peer Detection (DPD) together with TP.

Contrary to these comments, Cisco's DMVPN design guide V1.1 recommends a configuration containing:

crypto isakmp keepalive 10

Does that mean, I should use DPD, but without "periodic" keepalives? If yes, could you explain?

Thanks a lot!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amatahen
Cisco Employee
Cisco Employee

‎01-15-2013 11:37 AM

Dear Sebastian,

1. SPI Recovery basically means that the Responder router should respond to the VPN Initiator Router even if the SPI was invalid, the reply from the responder would be a "Invalid Error" to the VPN initiator.

Why isn't it recommended for DMVPN?

Well, based on the previous SPI description, imagine if someone overwhelms your Router with rogue requests! with SPI Recovery enabled, this means that your router would need to reply to all the messages it received with "Invalid Error" message, which basically means --> DoS Attack (Denial of Service Attack) --> High CPU processing on your Router.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

How does that relate to DMVPN?

Well! DMVPN is mainly deployed with large number of spokes! and even if no one is attacking you! your spokes can attack you

2. I don't think that having periodic keepalives is what is meant in the comments having on demand or periodic keepalives doesn't really effect DMVPN.

I don't know what are the comments that you read, but I believe that you can use DPDs! there have been some incompatabilites filed for tunnel keepalives, but as far as i know, nothing major was filed against ISAKMP keepalives.

HTH!

AMatahen

View solution in original post

0 Helpful
4 Replies 4

Go to solution
amatahen
Cisco Employee
Cisco Employee

‎01-15-2013 11:37 AM

Dear Sebastian,

1. SPI Recovery basically means that the Responder router should respond to the VPN Initiator Router even if the SPI was invalid, the reply from the responder would be a "Invalid Error" to the VPN initiator.

Why isn't it recommended for DMVPN?

Well, based on the previous SPI description, imagine if someone overwhelms your Router with rogue requests! with SPI Recovery enabled, this means that your router would need to reply to all the messages it received with "Invalid Error" message, which basically means --> DoS Attack (Denial of Service Attack) --> High CPU processing on your Router.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

How does that relate to DMVPN?

Well! DMVPN is mainly deployed with large number of spokes! and even if no one is attacking you! your spokes can attack you

2. I don't think that having periodic keepalives is what is meant in the comments having on demand or periodic keepalives doesn't really effect DMVPN.

I don't know what are the comments that you read, but I believe that you can use DPDs! there have been some incompatabilites filed for tunnel keepalives, but as far as i know, nothing major was filed against ISAKMP keepalives.

HTH!

AMatahen

0 Helpful

Go to solution
sebastian.lemke
Level 1
Level 1
In response to amatahen

‎01-16-2013 08:11 AM

Thanks for your reply!

If I don't enable Invalid SPI recovery, what happens, if the hub router reboots? How fast will be the recovery time?

yes, I probably mixed up DPD and tunnel keepalives.

0 Helpful

Go to solution
amatahen
Cisco Employee
Cisco Employee
In response to sebastian.lemke

‎01-16-2013 01:18 PM

If the hub Router reboots, your ISAKMP keepalives will be responsible for marking the tunnel as down, at that stage, Spokes will keep trying to register to the Hub forever, until it receives a reply back from the Hub, when it receives it and it successfully registers, it will pass traffic normally.

Time depends on the time of boot required on the Hub Router, as soon as it loads, VPN will go up due to way NHRP has been designed.

HTH

AMatahen

Go to solution
sebastian.lemke
Level 1
Level 1
In response to amatahen

‎01-17-2013 08:17 AM

Thanks again,

I read another post about DMVPN w/ Invalid SPI recovery:

https://supportforums.cisco.com/thread/2045830

based on that, I would suppose, configuring Invalid SPI recovery on a DMVPN Hub makes no sense, because it has no knowledge of other spokes IP addresses (when it has no existing connection).

Nevertheless, Invalid SPI recovery on the spokes could make sense, because they have a static configured destination.

Do you agree?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents