Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
4
Replies

disable dmvpn tunnel

asmlicense
Level 1
Level 1

‎08-10-2023 03:25 AM

dears,

we have 125 sites with dmvpn. and now we need just to turn off one of tunnel from hub side. is it possible ?

hub - isr 4431

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎08-10-2023 04:40 AM

@asmlicense ideally you'd disable the tunnel on the spoke, but from the hub side you could apply an ACL inbound on the physical interface deny ESP, UDP/500 and possibly UDP/4500 (if NAT) from the spoke in question and permit all other ESP, UDP/500 and UDP/4500.

0 Helpful

asmlicense
Level 1
Level 1
In response to Rob Ingram

‎08-10-2023 04:57 AM

let me explain in more details

we have main (dmvpn) and backup (3g with ipsec tunnel) lines

main isp have some problems on their equipment (tunnel is going down and up) so i want to block main tunnel (dmvpv).

i think if i will use access list traffic from hub side the traffic will be generated from spoke side and will be block only on hub side. so the dmvpn tunnel will be in up station

as you said, i can disable tunnel / pull out the cable of main isp and schedule restart in order to force switch up wit startup config but i don't want to risk with reloading device. i have bad practice when switch/router just didn't come up

0 Helpful

Rob Ingram
VIP
VIP
In response to asmlicense

‎08-10-2023 09:27 AM

@asmlicense wrote:

i  think if i will use access list traffic from hub side the traffic will be generated from spoke side and will be block only on hub side. so the dmvpn tunnel will be in up station

No, if you apply the ACL inbound on the hub's physical interface this will stop an IPSec tunnel from being established to/from that spoke. If the tunnel is already up and established clear the tunnel. It's not ideal solution.

You could just shutdown the tunnel interface on the spoke, assuming you can manage the router via the outside/external facing interface.

0 Helpful

christopher_hartzer
Level 1
Level 1

‎08-10-2023 05:01 AM - edited ‎08-10-2023 06:40 AM

asmlicense,

     It's possible, and you have options.
     Option 1 -- You can block the current IP of the peer with an ACL. // Temporary. DMVPN will reconnect when the IP changes.
     Option 2 -- You can update the DMVPN password on the Hub. // This is permanent, but you'll have to modify the other 124 sites.
     Option 3 -- ACL to deny inbound network range of spoke. // Tunnel will form, but inbound traffic will be dropped.

     If you have access to the spoke, it's best to remove the DMVPN configuration on that side. // Changing the password on the spoke, will stop the tunnel from coming up. As long as you can connect to the spoke again, you can revert the password when you want the tunnel to work again.

Chris

0 Helpful
Customers Also Viewed These Support Documents