Solved: DMVPN issue with 800 series routers

billy_maclin · ‎04-15-2024

I have a DMVPN network with 4331 hub routers. Our HQ in Memphis has a hub on AT&T, and another on Lumen. Our New York hub is also a Lumen connection. All are 500Mb up/down. We have about 35 spokes around the US that peer to all 3 routers. BGP is the routing protocol, and we're using IKEv2, SHA512, AES256, DH group 16, and PSK. The hubs send only default route to the spokes, while the spokes redistribute connected with a prefix list to prevent advertising the public IP over the private network. BGP peers are weighted at the spoke end so that one path is preferred back to the Memphis hub - that would be Lumen, see more below.

The spokes are a mix of 881, 891F, 1101, and 1111 routers. The 1000 series routers are stable to all hubs, and the routing adjacencies only go down with an actual outage. The 800 series constantly lose connection to the Memphis AT&T and the NY Lumen, but the connections to the Memphis Lumen are stable, only going down with a real outage.

This would seem to have a couple of solutions: 1) Replace all of the 800 series with ISR1000 series, or 2) determine what is wrong with these carrier connections that is causing this issue for only the 800 series routers.

Note: All routers are running the latest recommended version of IOS or IOS-XE. This issue also occurs with Eigrp and OSPF, so the routing protocol is immaterial.

MHM Cisco World · ‎04-16-2024

Both tunnel use same tunnel source

Then you need to use shared keyword with ipsec profile.

Note:-you need to clear crypto to make change take effect

MHM

View solution in original post

billy_maclin · ‎04-15-2024

Should have mentioned that there are no bandwidth issues with any of these connections. The NY connection see very little traffic, while the Memphis ATT see less than 50% utilization peak.

Aref Alsouqi · ‎04-16-2024

Do you see anything interesting on the 800 routers logs?

billy_maclin · ‎04-16-2024

Logs and debugs have proven unhelpful.

MHM Cisco World · ‎04-16-2024

Both tunnel use same tunnel source

Then you need to use shared keyword with ipsec profile.

Note:-you need to clear crypto to make change take effect

MHM

billy_maclin · ‎04-16-2024

I’ve been using a unique IPSEC profile for each tunnel interface for years, and I never thought it might be causing issues, but now that you’ve brought it back to my attention, I’ve configured a few of my 800 sites for a shared IPSEC profile. I’ll update when I know if that had any impact, which shouldn't take long since these routers lose both IKE and routing adjacency constantly.

MHM Cisco World · ‎04-16-2024

Take your time

Goodluck

MHM

billy_maclin · ‎04-16-2024

MHM, that was the issue. Using shared IPSEC profile now on all sites and the flapping has stopped completely. Thank you so much for the help.

billy_maclin · ‎04-16-2024

Also wanted to mention that changing the tunnel protection profile command cleared the tunnels. There was no need to do it manually.