Hi
I've got a DMVPN phase 2 single hub / dual cloud setup which works fine until the primary hub is lost.
When that happens all spokes are still able to communicate through the secondary hub (and thereby reach the LAN) but the spoke-to-spoke traffic stops to work.
If I look in the routing table of the spokes it has changed to route traffic to the other spokes via the secondary cloud, I'm using OSPF for routing.
When the primary hub is up, everything works perfect so I'm sure that this is just me missing something.
Both hubs are 1921s and spokes are either 1921:s, C891:s or C881:s and they are all running Version 15.4(3)M4 (same behavior in M5).
Anyone who can help or maybe recognise this behavior?
HUB1 config:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key "64 character long psk" address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set DMVPN_TS esp-aes 256 esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE1
set transform-set DMVPN_TS
!
interface Tunnel1
bandwidth 10000
ip vrf forwarding DMVPN_VRF
ip address 172.16.50.1 255.255.255.128
no ip redirects
ip mtu 1400
ip nhrp authentication "8 character long psk"
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE1
HUB2
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key "64 character long psk" address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set DMVPN_TS esp-aes 256 esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE2
set transform-set DMVPN_TS
!
interface Tunnel2
bandwidth 9000
ip vrf forwarding DMVPN_VRF
ip address 172.16.50.129 255.255.255.128
no ip redirects
ip mtu 1400
ip nhrp authentication "8 character long psk"
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 300
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN_PROFILE2
SPOKE(s)
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key "64 character long psk" address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set DMVPN_TS esp-aes 256 esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN_PROFILE1
set transform-set DMVPN_TS
!
crypto ipsec profile DMVPN_PROFILE2
set transform-set DMVPN_TS
!
interface Tunnel1
bandwidth 10000
ip vrf forwarding DMVPN_VRF
ip address 172.16.50.5 255.255.255.128
no ip redirects
ip mtu 1400
ip nhrp authentication "8 character long psk"
ip nhrp map multicast 1.2.3.4
ip nhrp map 172.16.50.1 1.2.3.4
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.50.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN_PROFILE1
!
interface Tunnel2
bandwidth 9000
ip vrf forwarding DMVPN_VRF
ip address 172.16.50.133 255.255.255.128
no ip redirects
ip mtu 1400
ip nhrp authentication "8 character long psk"
ip nhrp map multicast 5.6.7.8
ip nhrp map 172.16.50.129 5.6.7.8
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.16.50.129
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN_PROFILE2
Any help appreciated - thanks! :-)