lol, 11 years response later.

gvos · ‎01-09-2004

I've a DMVPN up and running but if a node gets an other IP-address of the ISP or a router (node or hub) reloads it takes 2 - 3 hours before a new connection is established.

I believe it's a timer problem (especially IPsec) But there are a lot of timers (and they influend each other)

Node config::

crypto ipsec transform-set transform_dk esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile profile_dk

set security-association lifetime second 86400

set security-association idle-time 150

set transform-set transform_dk

interface Tunnel1

description --- DMVPN tunnel ---

ip address 10.132.136.1 255.255.192.0

no ip redirects

ip mtu 1428

ip nhrp authentication password

ip nhrp map multicast 194.x.x.25

ip nhrp map 10.132.128.1 194.x.x.25

ip nhrp network-id 1000

ip nhrp holdtime 300

ip nhrp nhs 10.132.128.1

ip hello-interval eigrp 1 30

ip hold-time eigrp 1 65

qos pre-classify

tunnel source BVI1

tunnel mode gre multipoint

tunnel key 1000

tunnel protection ipsec profile profile_dk

Which are the optimal values for next timers???

ip nhrp holdtime 300

set security-association lifetime second 86400

set security-association idle-time 150

ip hello-interval eigrp 1 30

ip hold-time eigrp 1 65

I haven't found a description from how these timers influend each other. Is there a description?

benhur.p · ‎01-13-2004

Try changing SA Lifetime.

richardbergen · ‎07-28-2014

lol, 11 years response later...

there is a registration timeout value on the spoke interface you can change which will update the hub with a new periodic mapping. The expire time (hold timer) on the hub should also be updated.

more information you could ever want on this: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html

DMVPN: Timers??? (NHRP, IPsec, EIGRP)