Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
5
Helpful
4
Replies

DMVPN Phase2 tunnel fails if Hub is reloaded

Go to solution
enewburn1
Level 1
Level 1

‎08-16-2018 11:28 AM - edited ‎02-21-2020 09:26 PM

Hi,

  I have a weird issue and am wondering if anyone has any ideas about what may be wrong with my config. I have (2) ISR4Ks running Denali in a Hub and Spoke mGRE DMVPN solution. Everything works fine unless my Hub router is reloaded - at which point the DMVPN connection will fail and not return to service. Removing and reapplying the encryption profile on the Spoke end causes everything to start working again. Attached are the relevant(?) sections of the config from each. Any thoughts?

 

**Update** If I do nothing whatsoever about 25 minutes after the Hub has finished its reload the IPSEC SA will reform on its own

Labels:
Preview file
2 KB
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
enewburn1
Level 1
Level 1

‎08-16-2018 12:38 PM

Found the correct solution to the weirdness. Setting the tunnel's NHRP holdtime to 300 seconds did the trick. Now the tunnel and EIGRP association come up within a few seconds of each other

Thank you

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎08-16-2018 11:36 AM

Hi,
You should configure dead peer detection (dpd), this will detect when the hub goes down and delete the old (down) tunnel after a period. Once the hub is back up a new tunnel should then allowed to be established, intiated from the spoke. Link here for info on dpd.

 

HTH

Go to solution
enewburn1
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 11:47 AM - edited ‎08-16-2018 12:14 PM

That sounds kinda cool!

I'll check that out and get back to you, thank you for the tip

 

**Update** Well I added "crypto isakmp keepalive 30 5" and reloaded the Hub - but still have the same symptoms as before. Still, I appreciate the recommendation - always good to learn new things

0 Helpful

Go to solution
enewburn1
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 12:39 PM

Hey RJI - the isakmp DPD didn't do the trick but it got me going in the right direction. Thanks again!
0 Helpful

Go to solution
enewburn1
Level 1
Level 1

‎08-16-2018 12:38 PM

Found the correct solution to the weirdness. Setting the tunnel's NHRP holdtime to 300 seconds did the trick. Now the tunnel and EIGRP association come up within a few seconds of each other

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents