cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3135
Views
5
Helpful
4
Replies
Highlighted

DMVPN with Invalid SPI Recovery / DPD

Dear Experts,

I am currently evaluating a company design for mid-scale DMVPN Phase 2 networks, trying to optimize receovery time after a failure-and-recovery of a DMVPN peer.

1. I just went through a PDF of a Cisco Live Breakout Session from 2011 named "Advanced Concepts of DMVPN - BRK 4052".

It says (without further explanation) that the Invalid SPI Recovery feature is not useful with DMVPN.

Can anybody explain, why?

2. DMVPN implies the use of Tunnel Protection (TP). I read comments which say, that you can't use Dead Peer Detection (DPD) together with TP.

Contrary to these comments, Cisco's DMVPN design guide V1.1 recommends a configuration containing:

crypto isakmp keepalive 10

Does that mean, I should use DPD, but without "periodic" keepalives? If yes, could you explain?

Thanks a lot!

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DMVPN with Invalid SPI Recovery / DPD

Dear Sebastian,

1. SPI Recovery basically means that the Responder router should respond to the VPN Initiator Router even if the SPI was invalid, the reply from the responder would be a "Invalid Error" to the VPN initiator.

Why isn't it recommended for DMVPN?

Well, based on the previous SPI description, imagine if someone overwhelms your Router with rogue requests! with SPI Recovery enabled, this means that your router would need to reply to all the messages it received with "Invalid Error" message, which basically means --> DoS Attack (Denial of Service Attack) --> High CPU processing on your Router.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

How does that relate to DMVPN?

Well! DMVPN is mainly deployed with large number of spokes! and even if no one is attacking you! your spokes can attack you

2. I don't think that having periodic keepalives is what is meant in the comments having on demand or periodic keepalives doesn't really effect DMVPN.

I don't know what are the comments that you read, but I believe that you can use DPDs! there have been some incompatabilites filed for tunnel keepalives, but as far as i know, nothing major was filed against ISAKMP keepalives.

HTH!

AMatahen

4 REPLIES 4
Cisco Employee

Re: DMVPN with Invalid SPI Recovery / DPD

Dear Sebastian,

1. SPI Recovery basically means that the Responder router should respond to the VPN Initiator Router even if the SPI was invalid, the reply from the responder would be a "Invalid Error" to the VPN initiator.

Why isn't it recommended for DMVPN?

Well, based on the previous SPI description, imagine if someone overwhelms your Router with rogue requests! with SPI Recovery enabled, this means that your router would need to reply to all the messages it received with "Invalid Error" message, which basically means --> DoS Attack (Denial of Service Attack) --> High CPU processing on your Router.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

How does that relate to DMVPN?

Well! DMVPN is mainly deployed with large number of spokes! and even if no one is attacking you! your spokes can attack you

2. I don't think that having periodic keepalives is what is meant in the comments having on demand or periodic keepalives doesn't really effect DMVPN.

I don't know what are the comments that you read, but I believe that you can use DPDs! there have been some incompatabilites filed for tunnel keepalives, but as far as i know, nothing major was filed against ISAKMP keepalives.

HTH!

AMatahen

Re: DMVPN with Invalid SPI Recovery / DPD

Thanks for your reply!

If I don't enable Invalid SPI recovery, what happens, if the hub router reboots? How fast will be the recovery time?

yes, I probably mixed up DPD and tunnel keepalives.

Cisco Employee

DMVPN with Invalid SPI Recovery / DPD

If the hub Router reboots, your ISAKMP keepalives will be responsible for marking the tunnel as down, at that stage, Spokes will keep trying to register to the Hub forever, until it receives a reply back from the Hub, when it receives it and it successfully registers, it will pass traffic normally.

Time depends on the time of boot required on the Hub Router, as soon as it loads, VPN will go up due to way NHRP has been designed.

HTH

AMatahen

DMVPN with Invalid SPI Recovery / DPD

Thanks again,

I read another post about DMVPN w/ Invalid SPI recovery:

https://supportforums.cisco.com/thread/2045830

based on that, I would suppose, configuring Invalid SPI recovery on a DMVPN Hub makes no sense, because it has no knowledge of other spokes IP addresses (when it has no existing connection).

Nevertheless, Invalid SPI recovery on the spokes could make sense, because they have a static configured destination.

Do you agree?