Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
1
Helpful
3
Replies

DMVPN vpn tunnel flapps

devpuniya
Level 1
Level 1

‎03-16-2023 04:49 AM

 

 

Hello there,

I am seeing odd behavior in the dmvpn tunnels. I have a HUB and Spoke topology running EIGRP protocol. The network was stable for a long time but recently I started seeing that spoke side tunnels go down on their own and to bring it up, I have to bounce the tunnel. There is no other way it comes back. The error I see is as follows - 

 

Mar 14 22:28:17.032: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired
Mar 15 07:14:50.578: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired
Mar 15 07:32:01.494: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired
Mar 15 07:42:50.620: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired
Mar 15 07:49:21.035: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired
Mar 15 07:53:39.951: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired
Mar 15 07:59:55.942: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.100.100.100 (Tunnel100) is down: holding time expired

Some of the routers have dual tunnels ( meaning primary and secondary tunnels on the same router but in two separate vrf) and some of the sites have two separate routers. Wherever I have two separate routers, the secondary does not have an issue. but the primary goes down. 

Labels:
3 Replies 3

MHM Cisco World
VIP
VIP

‎03-16-2023 04:56 AM - edited ‎03-16-2023 05:22 AM

two point must check here 
1- Tunnel key must be different 
2- Tunnel must config with ipsec profile shared keyword if both share same source interface 

0 Helpful

devpuniya
Level 1
Level 1

‎03-16-2023 06:59 AM

Please note that tunnel is up and running at the moment. It happens every now and then. If the tunnel has an incorrect key and profile. How it will be up when I do a shut no shut? If the policy is not configured correctly, it will bot even bring up the MM1 itself. 

Thanks for your response. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to devpuniya

‎03-16-2023 09:17 AM

Hi, 
so return to this issue 
the EIGRP use two packet 
one is multicast <hello>
other is unicast 

you mention that the spoke have two VRF, are this VRF is front-VRF 
can you share the config of tunnel and config of tunnel source ??

0 Helpful
Customers Also Viewed These Support Documents