10-12-2012 06:07 AM - edited 02-21-2020 06:23 PM
Hi all,
I am currently trying to learn the concept of DMVPN.
I have build a little network with 886 routers.
My network looks like this:
Everything is working nice and dandy, but I do have one problem:
When I disconnect Hub2 and reconnect it back, the EIGRP between Hub1 and Hub2 is formed again, but the relationshop between Hub2 and the Spokes is not being formed. In fact Hub2 shows the following error:
I really have no idea on what I have misconfigured and I was hoping someon would like to help me out with this.
My configuration looks like this:
Hub2
Hub2#show run
Building configuration...
Current configuration : 2083 bytes
!
! Last configuration change at 12:37:09 UTC Fri Oct 12 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Hub2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO886VA-SEC-K9 sn FCZ1636C0S0
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto ipsec profile MY_PROFILE
set transform-set MYSET
!
!
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 10.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp map multicast dynamic
ip nhrp map multicast 192.168.1.100
ip nhrp map 10.1.1.1 192.168.1.100
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source 192.168.2.200
tunnel mode gre multipoint
tunnel protection ipsec profile MY_PROFILE
!
interface Ethernet0
no ip address
shutdown
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.200 255.255.255.0
!
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.1.0 255.255.255.0 192.168.2.1
ip route 192.168.3.0 255.255.255.0 192.168.2.1
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
Spoke1
Spoke1#show run
Building configuration...
Current configuration : 2109 bytes
!
! Last configuration change at 12:48:04 UTC Fri Oct 12 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ1637913G
!
!
username dwayne privilege 15 secret 4 TpZETPYjLfqCfkHi05C76eqHRV/mlD4GD6m5ll754S.
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto ipsec profile MY_PROFILE
set transform-set MYSET
!
!
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 10.1.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 1 35
ip nhrp map 10.1.1.1 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp map 10.1.1.2 192.168.2.200
ip nhrp map multicast 192.168.2.200
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
ip nhrp nhs 10.1.1.2
ip tcp adjust-mss 1360
tunnel source 192.168.3.2
tunnel mode gre multipoint
tunnel protection ipsec profile MY_PROFILE
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan3
ip address 192.168.3.2 255.255.255.0
!
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.1.100 255.255.255.255 192.168.3.1
ip route 192.168.2.200 255.255.255.255 192.168.3.1
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Any help will be very much appreciated..
Grtz
Dwayne
10-12-2012 07:14 AM
Hello,
Have you configured isakmp keepalives on the spoke? That would allow the spoke to detect when the hub does not have any P1/P2 any more
Cheers,
10-12-2012 07:49 AM
Hi olpeleri,
No I didn't..
But I figgered that one out allready, but with that configured the the keepalive interval is 10 seconds at a minimum.
This means that if the connection between the Hub and Spoke goes offfline for less than a second, it still takes up to 20 seconds before the tunnel is being established again which is kind of frustrating.
There has to be a faster way.
10-12-2012 08:03 AM
Dwayne,
Isakmp is not a protocol that should be used for fast reconnect. It's a protocol limitation.
Best practices are based on routing protocol convergence.
EG
A spoke would have 2 tunnels to 2 hubs - the selected routing protocol would speed up convergence when tuning the hello/dead timers.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide