Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
14
Replies

MPLS To DMVPN Failover Issue

NETAD
Level 4
Level 4

‎05-22-2018 08:12 PM - edited ‎03-12-2019 05:18 AM

Hello, I'm working on an issue with a customer failing to failover from MPLS to their DMVPN cloud. It's a single router that has both an MPLS and internet connection. On the MPLS line they're running BGP and on the DMVPN tunnels they're running EIGRP.

 

For some reason the routes between the spokes are being exchanged. DMVPN is running is phase 3 and here's the config for the hub and the 2 spokes. Can you please take and look to see if I'm missing anything. Thank you so much.

 

 

HUB

 

!
interface Tunnel2000
 description DMVPN Tunnel over the Internet.
 bandwidth 200000
 ip address 172.26.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip split-horizon eigrp 1
 ip nhrp map multicast dynamic
 ip nhrp network-id 2000
 ip nhrp holdtime 450
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 2000
 tunnel protection ipsec profile Profile.DMVPN.Internet
end

 

 

MADISON

!
interface Tunnel2000
 bandwidth 20000
 ip address 172.26.1.18 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast X.X.X.X
 ip nhrp map 172.26.1.1 X.X.X.X
 ip nhrp network-id 2000
 ip nhrp nhs 172.26.1.1
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 2000
 tunnel protection ipsec profile Profile.DMVPN.Internet
end

 

NOGALAS

Current configuration : 446 bytes
!
interface Tunnel2000
 bandwidth 30000
 ip address 172.26.1.10 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast X.X.X.X
 ip nhrp map 172.26.1.1 198.35.58.198
 ip nhrp network-id 2000
 ip nhrp nhs 172.26.1.1
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 2000
 tunnel protection ipsec profile Profile.DMVPN.Internet
end

 

 

 

 

 

 

 

Labels:
0 Helpful
14 Replies 14

NETAD
Level 4
Level 4

‎05-23-2018 05:54 AM

Can someone chime in here please. We're attempting the failover again today.
0 Helpful

Rob Ingram
VIP
VIP
In response to NETAD

‎05-23-2018 06:01 AM

Hi,
Can you clarify the issue for me please? You said "For some reason the routes between the spokes are being exchanged" < do you mean to say that each spoke router has the other spoke routers routes in it's routing table? Learnt via EIGRP?
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-23-2018 06:04 AM

I'm sorry. I meant to say that the spokes aren't seeing each others routes.
0 Helpful

Rob Ingram
VIP
VIP
In response to NETAD

‎05-23-2018 06:08 AM

Ok, do they have an adjacency to the hub? What is the configuration of eigrp? Can you post
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-23-2018 06:21 AM

yes adjacency is there with the hub and the spokes are advertising their networks.
HUB
router eigrp x
!
address-family ipv4 unicast autonomous-system 1
!
af-interface Tunnel200
hello-interval 20
hold-time 60
exit-af-interface
!
topology base
distribute-list route-map DMVPN2-INET-IN in Tunnel200
distribute-list route-map BLOCK-LEARNED out Tunnel200
redistribute ospf 1 match internal metric 10000 100 255 1 1500
exit-af-topology
network 10.8.148.254 0.0.0.0
network 10.8.253.0 0.0.0.255
network 10.8.254.0 0.0.0.255
network 10.8.255.148 0.0.0.0
network 172.26.1.0 0.0.0.255
eigrp router-id 10.8.255.148
exit-address-family
!

spoke 1
!
router eigrp x
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 10.8.150.0 0.0.0.255
network 10.8.156.0 0.0.0.255****************************
network 172.26.1.0 0.0.0.255****************************

spoke2
router eigrp x
!
address-family ipv4 unicast autonomous-system 1
!
topology base
distribute-list route-map DMVPN2-INET-IN in Tunnel200
distribute-list route-map BLOCK-LEARNED out Tunnel200
redistribute ospf 1 match internal metric 10000 100 255 1 1500
exit-af-topology
network 10.8.253.0 0.0.0.255
network 10.8.254.0 0.0.0.255
network 10.8.255.254 0.0.0.0
network 10.31.71.12 0.0.0.0
network 172.26.1.0 0.0.0.255
eigrp router-id 10.8.255.254
exit-address-family
!


0 Helpful

Rob Ingram
VIP
VIP
In response to NETAD

‎05-23-2018 06:37 AM

What routes are in the spokes routing table? Can you provide an output?

In your eigrp configuration you are referencing Tunnel 200 but the Tunnel interface is actually 2000, typo?

What is the configuration and purpose of the route-maps? What are they filtering?
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-23-2018 06:41 AM

tun200 is an old tunnel that was setup for IWAN but it's shutdown. Same for the route-maps. They shouldn't be in play here. The new tunnels are on the 172.26.1.0/24 network. I will provide the output momentarily. Thanks for your assistance on this.
0 Helpful

NETAD
Level 4
Level 4
In response to NETAD

‎05-23-2018 08:17 AM

Is no ip next-hop eigrp 1 needed on the hub?
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-23-2018 06:58 AM

Here's the requested commands RJI. one of the main subnets that we need the NOGA spoke to see is the 10.31.71.0/24 that Madison is advertising in EIGRP and if you look it's in the hub top table. 

Preview file
65 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to NETAD

‎05-23-2018 01:05 PM

The output is slightly confusing without a diagram, do you have one?

Nog_Internet is a spoke? This has the route 10.31.71.0/24 in it's routing table, but learnt from BGP - it has a lower AD than EIGRP, which is why it's in the routing table.
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-23-2018 01:18 PM

NOG is a spoke correct. Correct it has a bgp route for 10.31.71.0/24 because of the lower AD but that route isn't in the eigrp topology table even when we disconnected the MPLS circuit from the router.
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-23-2018 08:10 PM

Hi RJI, I took another stab at this but this time one of the spokes is resolving the nbma address of the other spoke incorrectly it’s resolving it to the hub. While the other spoke is resolving the nbma address to the correct address of the tunnel. What should I try to resolve this. Note that I can ping the hubs tunnel interface but the spokes arent able to ping each others tunnel intrface.
0 Helpful

Rob Ingram
VIP
VIP
In response to NETAD

‎05-24-2018 01:56 AM

Hi, Can you provide the output of those tests you run in a text file? Can you also provide the output of "show ip nhrp" from the hub and spokes. Can you also indicate the NBMA and Tunnel IP addresses of each router (hub and spokes). I'll have a look.
0 Helpful

NETAD
Level 4
Level 4
In response to Rob Ingram

‎05-25-2018 07:46 AM

Hi RJI, the customer has an existing DMVPN cloud but we're trying to migrate them to another one. There are 2 tunnels per router and each point to a different hub. We're trying to remove one of the tunnels but they're some dependencies on it still. Do you think this conflict is what's causing the spokes routes not to appear at each other?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents