01-15-2013 02:56 AM - edited 02-21-2020 06:37 PM
Dear Experts,
I am currently evaluating a company design for mid-scale DMVPN Phase 2 networks, trying to optimize receovery time after a failure-and-recovery of a DMVPN peer.
1. I just went through a PDF of a Cisco Live Breakout Session from 2011 named "Advanced Concepts of DMVPN - BRK 4052".
It says (without further explanation) that the Invalid SPI Recovery feature is not useful with DMVPN.
Can anybody explain, why?
2. DMVPN implies the use of Tunnel Protection (TP). I read comments which say, that you can't use Dead Peer Detection (DPD) together with TP.
Contrary to these comments, Cisco's DMVPN design guide V1.1 recommends a configuration containing:
crypto isakmp keepalive 10
Does that mean, I should use DPD, but without "periodic" keepalives? If yes, could you explain?
Thanks a lot!
Solved! Go to Solution.
01-15-2013 11:37 AM
Dear Sebastian,
1. SPI Recovery basically means that the Responder router should respond to the VPN Initiator Router even if the SPI was invalid, the reply from the responder would be a "Invalid Error" to the VPN initiator.
Why isn't it recommended for DMVPN?
Well, based on the previous SPI description, imagine if someone overwhelms your Router with rogue requests! with SPI Recovery enabled, this means that your router would need to reply to all the messages it received with "Invalid Error" message, which basically means --> DoS Attack (Denial of Service Attack) --> High CPU processing on your Router.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200
How does that relate to DMVPN?
Well! DMVPN is mainly deployed with large number of spokes! and even if no one is attacking you! your spokes can attack you
2. I don't think that having periodic keepalives is what is meant in the comments having on demand or periodic keepalives doesn't really effect DMVPN.
I don't know what are the comments that you read, but I believe that you can use DPDs! there have been some incompatabilites filed for tunnel keepalives, but as far as i know, nothing major was filed against ISAKMP keepalives.
HTH!
AMatahen
01-15-2013 11:37 AM
Dear Sebastian,
1. SPI Recovery basically means that the Responder router should respond to the VPN Initiator Router even if the SPI was invalid, the reply from the responder would be a "Invalid Error" to the VPN initiator.
Why isn't it recommended for DMVPN?
Well, based on the previous SPI description, imagine if someone overwhelms your Router with rogue requests! with SPI Recovery enabled, this means that your router would need to reply to all the messages it received with "Invalid Error" message, which basically means --> DoS Attack (Denial of Service Attack) --> High CPU processing on your Router.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200
How does that relate to DMVPN?
Well! DMVPN is mainly deployed with large number of spokes! and even if no one is attacking you! your spokes can attack you
2. I don't think that having periodic keepalives is what is meant in the comments having on demand or periodic keepalives doesn't really effect DMVPN.
I don't know what are the comments that you read, but I believe that you can use DPDs! there have been some incompatabilites filed for tunnel keepalives, but as far as i know, nothing major was filed against ISAKMP keepalives.
HTH!
AMatahen
01-16-2013 08:11 AM
Thanks for your reply!
If I don't enable Invalid SPI recovery, what happens, if the hub router reboots? How fast will be the recovery time?
yes, I probably mixed up DPD and tunnel keepalives.
01-16-2013 01:18 PM
If the hub Router reboots, your ISAKMP keepalives will be responsible for marking the tunnel as down, at that stage, Spokes will keep trying to register to the Hub forever, until it receives a reply back from the Hub, when it receives it and it successfully registers, it will pass traffic normally.
Time depends on the time of boot required on the Hub Router, as soon as it loads, VPN will go up due to way NHRP has been designed.
HTH
AMatahen
01-17-2013 08:17 AM
Thanks again,
I read another post about DMVPN w/ Invalid SPI recovery:
https://supportforums.cisco.com/thread/2045830
based on that, I would suppose, configuring Invalid SPI recovery on a DMVPN Hub makes no sense, because it has no knowledge of other spokes IP addresses (when it has no existing connection).
Nevertheless, Invalid SPI recovery on the spokes could make sense, because they have a static configured destination.
Do you agree?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide