HA DMVPN with EIGRP

Xavier Lloyd · ‎03-25-2013

Hi all,

I'm having an issue with an EIGRP config I'm doing in a lab for a customer. They want to be able to do dynamic branch tunnels and also have 2 service providers at each location. The setup has 3 hubs, 2 at the data center and 1 at the disaster recovery site. Every location has 2 ISPs and the customer wants the DMVPN to be able to establish tunnels over either SP to any other SP.

The config I'm doing has 4 tunnels on each router.

Tunnel 1 - facilitate communication SP1 at the hub to SP1 at the branch

Tunnel 2 - facilitate communication SP2 at the hub to SP2 at the branch

Tunnel 3 - facilitate communication SP1 at the hub to SP2 at the branch

Tunnel 4 - facilitate communication SP2 at the hub to SP1 at the branch

The problem I'm finding is this though (and this also happened when I was only using the first 2 tunnels, ie VPN only over common SPs) - when I shutdown the SP1 interface on the hub, communication fails over nicely to SP2. However, when I do a no shutdown to bring back up the SP1 interface, the tunnel doesn't fail back over. When I do a show dmvpn, that particular tunnel is stuck in NHRP state. The debugs don't show anything useful but once I do a clear crypto session on the branch, everything works properly. Could this be a bug or a config error? I've attached the configs I'm using. Forgive me if they're a bit tricky to understand.

Right now, R1 and R2 are the hubs and R3 and R6 are the branches.

Thanks

Xavier

Xavier Lloyd · ‎04-04-2013

Anyone able to assist with this?

Marcin Latosiewicz · ‎04-04-2013

Xavier,

- isakmp keepalives missinig

- check tunnel route-via, but better yet pack one of the SPs into VRF (vrf-lite) and have two default routes.

Other things, not related:

- MTU/MSS missing

- holdtime 30 - that's a bit short, you're going to kill scalability.

- Using phase3 and phase 2 design at the same time? I guess not intended?

- If you want this to scale nicely, use BGP

For the rest, hard to say, needs debugging, checking of routing during failing back to original.

M.

Xavier Lloyd · ‎04-05-2013

EIGRP neighbor relationships don't even establish because the tunnels don't come back up. I will add isakmp keepalives and test again. If that doesn't work I'll try vrf-lite as you suggested, but I've had trouble setting that up in the past.

The config has come some distance since this one I posted here in terms of hold time and MTU.

For using phase 2 and 3 at the same time, I just did a bit more reading and saw that phase 3 doesn't use the "no ip eigrp AS next-hop-self". Is this the only thing I need to change to make it strictly phase 3?

Marcin Latosiewicz · ‎04-06-2013

Check out tunnel route-via

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_trsel.html#wp1069843

it has some recent bugs but for the rest it's a simple way of doing vrf-lite (I'm not a big fan of this feature, it's makes troubleshooting hard).

In phase 3 design we rely on summaries sent by hub devices, while not required they make a few things easy (like routing config on interfaces), but introduce problems of their own. To answer your question - that's about right ;-)

M.

Xavier Lloyd · ‎04-08-2013

Great! I got this working. Not sure what the issue was. The thing is, I was using GNS3 and I had a router with a switch card acting as both SP clouds. When I tried configuring the route tracking, it wasn't behaving. I since switched it from the router-switch to a router connected to 2 of the dumb switches and route tracking started behaving properly. The failover and everything works perfectly now.

I also cleaned up some of the tunnel config so I don't know if that's actually what fixed it.

One more question though. I just discovered that the customer has no data license so there's no clean automatic failover using floating static routes. Can I get this clean failover using VRFs without route tracking or will I still need it?