cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1670
Views
0
Helpful
3
Replies

DMVPN Dual hub failover error

dwaynepeeters
Level 1
Level 1

Hi all,

I am currently trying to learn the concept of DMVPN.

I have build a little network with 886 routers.

My network looks like this:

topologie.png

Everything is working nice and dandy, but I do have one problem:

When I disconnect Hub2 and reconnect it back, the EIGRP between Hub1 and Hub2 is formed again, but the relationshop between Hub2 and the Spokes is not being formed. In fact Hub2 shows the following error:

Naamloos.png

I really have no idea on what I have misconfigured and I was hoping someon would like to help me out with this.

My configuration looks like this:

Hub2

Hub2#show run

Building configuration...

Current configuration : 2083 bytes

!

! Last configuration change at 12:37:09 UTC Fri Oct 12 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Hub2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO886VA-SEC-K9 sn FCZ1636C0S0

!

!

!

!

!

!

controller VDSL 0

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

!

crypto ipsec profile MY_PROFILE

set transform-set MYSET

!

!

!

!

!

!

interface Loopback0

ip address 172.16.2.1 255.255.255.0

!

interface Tunnel0

bandwidth 1000

ip address 10.1.1.2 255.255.255.0

no ip redirects

ip mtu 1400

ip hold-time eigrp 1 35

no ip next-hop-self eigrp 1

ip nhrp map multicast dynamic

ip nhrp map multicast 192.168.1.100

ip nhrp map 10.1.1.1 192.168.1.100

ip nhrp network-id 1

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

tunnel source 192.168.2.200

tunnel mode gre multipoint

tunnel protection ipsec profile MY_PROFILE

!

interface Ethernet0

no ip address

shutdown

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

switchport access vlan 2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 192.168.2.200 255.255.255.0

!

!

router eigrp 1

network 10.0.0.0

network 172.16.0.0

network 192.168.0.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 192.168.1.0 255.255.255.0 192.168.2.1

ip route 192.168.3.0 255.255.255.0 192.168.2.1

!

!

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

end

Spoke1

Spoke1#show run

Building configuration...

Current configuration : 2109 bytes

!

! Last configuration change at 12:48:04 UTC Fri Oct 12 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Spoke1

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-SEC-K9 sn FCZ1637913G

!

!

username dwayne privilege 15 secret 4 TpZETPYjLfqCfkHi05C76eqHRV/mlD4GD6m5ll754S.

!

!

!

!

controller VDSL 0

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

!

crypto ipsec profile MY_PROFILE

set transform-set MYSET

!

!

!

!

!

!

interface Loopback0

ip address 172.16.2.1 255.255.255.0

!

interface Tunnel0

bandwidth 1000

ip address 10.1.1.3 255.255.255.0

no ip redirects

ip mtu 1400

ip hold-time eigrp 1 35

ip nhrp map 10.1.1.1 192.168.1.100

ip nhrp map multicast 192.168.1.100

ip nhrp map 10.1.1.2 192.168.2.200

ip nhrp map multicast 192.168.2.200

ip nhrp network-id 1

ip nhrp nhs 10.1.1.1

ip nhrp nhs 10.1.1.2

ip tcp adjust-mss 1360

tunnel source 192.168.3.2

tunnel mode gre multipoint

tunnel protection ipsec profile MY_PROFILE

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

switchport access vlan 3

no ip address

!

interface Vlan1

no ip address

!

interface Vlan3

ip address 192.168.3.2 255.255.255.0

!

!

router eigrp 1

network 10.0.0.0

network 172.16.0.0

network 192.168.0.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 192.168.1.100 255.255.255.255 192.168.3.1

ip route 192.168.2.200 255.255.255.255 192.168.3.1

!

!

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

end

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Any help will be very much appreciated..

Grtz

Dwayne

3 Replies 3

olpeleri
Cisco Employee
Cisco Employee

Hello,

Have you configured isakmp keepalives on the spoke? That would allow the spoke to detect when the hub does not have any P1/P2 any more

Cheers,

Hi olpeleri,

No I didn't..

But I figgered that one out allready, but with that configured the the keepalive interval is 10 seconds at a minimum.

This means that if the connection between the Hub and Spoke goes offfline for less than a second, it still takes up to 20 seconds before the tunnel is being established again which is kind of frustrating.

There has to be a faster way.

Dwayne,

Isakmp is not a protocol that should be used for fast reconnect. It's a protocol limitation.

Best practices are based on routing protocol convergence.

EG

A spoke would have 2 tunnels to 2 hubs - the selected routing protocol would speed up convergence when tuning the hello/dead timers.

Cheers