I am trying to create a DMVPN design with 2 hubs, 1 primary and 1 backup, and several spokes. I have been reading of the difficulty of terminating a DMVPN tunnel onto an HSRP address and indeed I have not been able to get this to work. I have, however, been able to use the Dual Hub/Single DMVPN design where the spoke maps the tunnel endpoints to the physical outside addresses of each hub, changing the metric of the backup hub (in my case increasing the OSPF cost) to avoid routing loops.
What I am unclear about is _why_ the DMVPN tunnel will not terminate on the HSRP address. Could someone please point me to some official Cisco document indicating the incompatibility, or else if I am completely wrong point me in the direction of how to configure DMVPN with HSRP?
Thanks in advance,
First I want say HSRP and DMVPN is not officially supported, not documented on CCO, but it can work together.
The primary reason of using HSRP with ipsec is to provide redundancy; DMVPN use the routing protocol on top to achieve the active/active redundancy, so there is no need for HSRP. Another reason is for HSRP to work, the 2 hub router must be in same LAN; using DMVPN and routing protocol for redundancy will not have that restriction.
However, as I said. HSRP with DMVPN can work together, but just not recommended.
Thank you for your response.
I tried configuring the DMVPN to terminate on the HSRP address but was not able to bring up the tunnel. I would see an active SA in the QM_IDLE state for exactly 1 minute, but even during this time I was not able to route traffic through the tunnel.
Could you please tell me how (what configuration is necessary) to terminate a DMVPN spoke onto an HSRP address? Though I will probably not use HSRP for DMVPN in production, I still would like to know how it is technically possible, or why technically it won't work.