Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
1
Replies

IPsec Over DMVPN Underly Problems

MohammadSalih
Level 1
Level 1

‎05-28-2024 02:18 AM - edited ‎05-28-2024 02:19 AM

hi every on
i have an issue with DMVPN Tunnel with IPsec.

i will explain the design of the network as much i can.

i have an ASR-1000 router (HUB), and i have more than 9 tunnel work on it
every tunnel has it's own underly network (Different Service Provider)
like example:
tunnel 1 (Satellite connection VSAT)
tunnel 2 (Optical Fiber connection)
and etc ...

i have two tunnels with the same source interface tunnel 1 and tunnel 9 t hat work Over Satellite connection (Underly Network)
the overly i enabled eigrp over dmvpn

all tunnels work perfectly expect tunnel 1 and 9 that have the same underly network.

the latency of satellite is so high

when i ping to spoke the time is 500 ms.

tunnel 1 has more than 100 peer
tunnel 9 has 15 peer


the issue is with tunnel 1 and 9 with Satellite Connection (VSAT Connection)

everything  ok for a while, suddenly some of Spoke routers lost connection with ASR
and when i check, i have seen these problem:

-----------------------
1-on some spoke routers

soke1-RT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
X.X.X.X Y.Y.Y.Y QM_IDLE 9115 ACTIVE

spoke1-RT#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel10101, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 X.X.X.X Y.Y.Y.Y NHRP 3w5d S


the tunnel state is (NHRP) and eigrp goes down

especially when i write the SHARED command on the Hub tunnel 1 interface (tunnel protection)


--------------------
2-other spoke routers

GFC-RT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

in this case Spoke routers delete the IPsec connection and the dmvpn goes down,
it will never come up untill i forced to shutdown and no shutdown the tunnel to make it come up again.

--------------------
when these problems happens i checked the underly connection there is no problem and everything work fine.

all remaining tunnels from 2 to 8 work perfectly with out any issue.

i will put the configuration of HUB and Spoke router.

 

Labels:
Preview file
3 KB
0 Helpful
1 Reply 1

MHM Cisco World
VIP
VIP

‎05-29-2024 12:36 AM

I see in Hub you use same interface for both tunnel BUT you use different IPsec prefile?

that wrong 

you need to use same IPsec profile and use keyword shared in both tunnel 

and also I dont know why you dont like add "ip nhrp map multicast dynamic" in Hub ? I remember in your previous post I recommend to use it 

thanks 

MHM

 

0 Helpful
Customers Also Viewed These Support Documents