Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
1
Helpful
8
Replies

DMVPN issue with 800 series routers

Go to solution
billy_maclin
Level 1
Level 1

‎04-15-2024 03:01 PM

I have a DMVPN network with 4331 hub routers. Our HQ in Memphis has a hub on AT&T, and another on Lumen. Our New York hub is also a Lumen connection. All are 500Mb up/down. We have about 35 spokes around the US that peer to all 3 routers. BGP is the routing protocol, and we're using IKEv2, SHA512, AES256, DH group 16, and PSK. The hubs send only default route to the spokes, while the spokes redistribute connected with a prefix list to prevent advertising the public IP over the private network. BGP peers are weighted at the spoke end so that one path is preferred back to the Memphis hub - that would be Lumen, see more below.

The spokes are a mix of 881, 891F, 1101, and 1111 routers. The 1000 series routers are stable to all hubs, and the routing adjacencies only go down with an actual outage. The 800 series constantly lose connection to the Memphis AT&T and the NY Lumen, but the connections to the Memphis Lumen are stable, only going down with a real outage.

This would seem to have a couple of solutions: 1) Replace all of the 800 series with ISR1000 series, or 2) determine what is wrong with these carrier connections that is causing this issue for only the 800 series routers.

Note: All routers are running the latest recommended version of IOS or IOS-XE. This issue also occurs with Eigrp and OSPF, so the routing protocol is immaterial.

Labels:
Preview file
3 KB
Preview file
4 KB
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎04-16-2024 04:13 AM

Both tunnel use same tunnel source 

Then you need to use shared keyword with ipsec profile.

Note:-you need to clear crypto to make change take effect

MHM

View solution in original post

0 Helpful
8 Replies 8

Go to solution
billy_maclin
Level 1
Level 1

‎04-15-2024 03:12 PM

Should have mentioned that there are no bandwidth issues with any of these connections. The NY connection see very little traffic, while the Memphis ATT see less than 50% utilization peak.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎04-16-2024 04:06 AM

Do you see anything interesting on the 800 routers logs?

0 Helpful

Go to solution
billy_maclin
Level 1
Level 1
In response to Aref Alsouqi

‎04-16-2024 10:27 AM

Logs and debugs have proven unhelpful.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-16-2024 04:13 AM

Both tunnel use same tunnel source 

Then you need to use shared keyword with ipsec profile.

Note:-you need to clear crypto to make change take effect

MHM

0 Helpful

Go to solution
billy_maclin
Level 1
Level 1
In response to MHM Cisco World

‎04-16-2024 10:29 AM

I’ve been using a unique IPSEC profile for each tunnel interface for years, and I never thought it might be causing issues, but now that you’ve brought it back to my attention, I’ve configured a few of my 800 sites for a shared IPSEC profile. I’ll update when I know if that had any impact, which shouldn't take long since these routers lose both IKE and routing adjacency constantly.

Go to solution
MHM Cisco World
VIP
VIP
In response to billy_maclin

‎04-16-2024 10:34 AM

Take your time 

Goodluck 

MHM

0 Helpful

Go to solution
billy_maclin
Level 1
Level 1
In response to MHM Cisco World

‎04-16-2024 03:43 PM

MHM, that was the issue. Using shared IPSEC profile now on all sites and the flapping has stopped completely. Thank you so much for the help.

0 Helpful

Go to solution
billy_maclin
Level 1
Level 1
In response to MHM Cisco World

‎04-16-2024 10:31 AM

Also wanted to mention that changing the tunnel protection profile command cleared the tunnels. There was no need to do it manually.

0 Helpful
Customers Also Viewed These Support Documents