Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
0
Helpful
4
Replies

DMVPN Phase 3: Spoke to Spoke dynamic tunnel expires after 5 min

Romanpreet Singh
Level 1
Level 1

‎06-30-2016 03:37 AM - edited ‎02-21-2020 08:52 PM

Hi 

I have deployed DMVPN phase 3 and spoke to spoke dynamic tunnels expires after 5 min. Is it default behavior or some command causing it.? Can it be adjusted? 

Config on two spokes is like this:

crypto isakmp policy 1
encr aes
hash sha256
authentication pre-share
group 2
!
crypto isakmp policy 1000
encr aes 256
hash sha256
authentication pre-share
group 2
lifetime 3600

crypto isakmp key XXXXX address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 5

crypto ipsec transform-set XXX esp-aes esp-sha256-hmac
mode transport
!
crypto ipsec profile XXX
set transform-set XXX
!

interface Tunnel21
description DMVPN_Test
ip address 10.X.X.X 255.255.255.0
no ip redirects
ip mtu 1400
ip flow monitor flow-monitor-01 input
ip flow monitor flow-monitor-01 output
ip nhrp map 10.X.X.X Y.Y.Y.Y
ip nhrp map multicast Y.Y.Y.Y
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 10.X.X.X
ip nhrp shortcut
ip nhrp redirect
zone-member security INSIDE
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile OIIDMVPN

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-30-2016 11:11 PM

Which router model(s) are you using, and which IOS version?

0 Helpful

Romanpreet Singh
Level 1
Level 1
In response to Philip D'Ath

‎07-01-2016 01:41 AM

1st Spoke is 3925 with IOS universalk9.15.1

2nd Spoke is 4331 with IOS UNIVERSALK9 15.4

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Romanpreet Singh

‎07-01-2016 01:12 PM

Interesting combination.  For a 3925 a gold star release is 15.4.3M5.  I have also used this software release a lot with DMVPN and had no issues.  Could you change the 3925 to this software release?

On the 4331 I would run the gold star release 3.13.5S (which is 154-3.S5).

0 Helpful

Frank DeNofa
Cisco Employee
Cisco Employee

‎07-01-2016 10:23 AM

Romanpreet,

NHRP will tear down dynamic tunnels when traffic has not been routed using the NHRP entry within the configured holdtime. You can see that you have a hold time of 5 minutes (300 seconds) configured on your tunnel interface. If you run 'show ip nhrp' you will see the holdtime decrementing and refreshing when appropriate. Increasing the holdtime will change this behavior.

HTH,

Frank

0 Helpful
Customers Also Viewed These Support Documents