Thanks Kevin,

I have implimented a dual hub, dual DMVPN on a test network, and all is working fine, except for one thing, all remote office routers are in area 1 which is an nssa with connected networks redistributed into ospf, and the head office routers WAN interface and tunnels are also in area 1, with area 1 nssa no-summary, but i cannot for the life of me define a different metric on the auto injected default routes......please put me out of my misery!

To explain myself a little better, when on a remote router, i get the same cost default route for both head office 1 and 2.

What i want is head office 1 to be the primary and head office 2 to be backup......

Any ideas?

PS id love to change to EIGRP, but with our multivendor environment.....not a chance ;-(

Thanks in advance!

Got it,

Area 1 nssa default-information-originate metric X

Sweet!

Good stuff, glad everything is working well. One other thing you could have done to use one link as primary and the other as failover without messing with ospf would be to use route-maps with IP SLA tracking. When the reachability tracking shows the primary link as down your route-map would use the failover link (if verify-reachability is configured).

There are many ways to do things I'm glad that your current solution is satisfying your requirements.

Great job!

Sent from Cisco Technical Support iPhone App

Ok, thanks kevin, but i have a new problem, i was getting some weird routing tables on the head office 2 router and ultimatly id prefer spoke to spoke connectivity, so i am experimenting with a dual hub single DMVPN cloud solution, but i have flapping neighbors on the secondary hub router, it seems that the router is unable to send multicasts successfully from what i can see through debugs and pings of 224.0.0.5, it will receive them, but it is unable to reach the neighbors with its hellos. so they die....any ideas?

Config of Hub 1 and 2 and a spoke below.....

PS, i have attached them in txt files for ease of reading.....

PSS Hub 1 is working perfectly, but if i loose it, all neighbors drop and the whole network dies, let me know if you need any sh commands etc

thanks

PSSS if i can get this to work, we will be buying 36 New Cisco routers! yay! if not, juniper is lurking!!! noooooooooooooooo

Hi Warren,

Sounds like an interesting problem though I do not have the time to go through your configurations tonight (Wife will murder me).

I will lab this up tomorrow and respond with my results.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Thanks a tonne Kevin, i really appreciate it, and i know how you feel with the death threats....lol

Hi Warren,

Haven't gotten around to getting these configs in the lab yet but just looking over your configurations during lunch you may try adjusting the tunnel configuration on your SPOKE's tunnel 1 interface to reflect the change below.

You currently have…

Ip nhrp map 10.251.20.1 10.251.1.2

   And

Ip nhrp nhs 10.251.20.1

You should have…

Ip nhrp map 10.251.10.2 10.251.1.2

   And

Ip nhrp nhs 10.251.10.2

Try to see if this helps resolve your issue, it makes sense that it would considering it points to hub2 which is where you are having problems.

Please post back your results and if need be I will gladly continue troubleshooting.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Hi Guys,

I am almost there, i have gone back to a dual hub dual cloud hub and spoke topology because it best suits our business needs, i am using eigrp in the cloud and redistributing into ospf (head office protocol) because all our switches are HP and using OSPF, OSPF was far too painful to work with in the DMVPN scenario, and as long as i'm careful, which i have been, lol (tagging redistributed routes and preventing them from coming back in through the other core router...all should be fine.

Now its all running great, but with one problem, if i shut down our primary core router (hub1), all remote sites point to the secondary core router (hub2) on their second tunnel interface .....which is great!, everything is pingable, network is stable as expected.......but, when i bring hub 1 back up, the spokes do not reconverge on hub 1, a ISAKMP SA isnt even formed! not until i reboot a spoke, then it will point to hub 1.....obviously not a desirable scenario...

So my question, what can i do to make the hub initiate the sa back to the spokes if it dies and comes back up?

below are cutdown configs of hub 1, hub 2 and a spoke for your purusal...

Thanks heaps in advance!

Warren

Hub 1

********************************************************

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set setA esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile vpnprof

set transform-set setA

!

!

!

interface Tunnel1

bandwidth 10000

ip address 10.0.1.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

no ip split-horizon eigrp 100

delay 1000

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile vpnprof

!

!

interface FastEthernet0/1

ip address 10.251.1.1 255.255.255.0

duplex auto

speed auto

!

router eigrp 100

redistribute ospf 100 metric 50 1500 255 1 1500 route-map ospf-to-eigrp

network 10.0.1.1 0.0.0.0

no auto-summary

!

router ospf 100

router-id 1.1.1.1

log-adjacency-changes

redistribute eigrp 100 metric 50 subnets route-map eigrp-to-ospf

network 10.250.1.1 0.0.0.0 area 0

!

!

route-map eigrp-to-ospf deny 10

match tag 20

!

route-map eigrp-to-ospf permit 20

set tag 10

!

route-map ospf-to-eigrp deny 10

match tag 10

!

route-map ospf-to-eigrp permit 20

set tag 20

!

!

Hub 2

********************************************************************************

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set setA esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile vpnprof

set transform-set setA

!

!

!

interface Tunnel2

bandwidth 10000

ip address 10.0.2.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco2

ip nhrp map multicast dynamic

ip nhrp network-id 2

ip nhrp holdtime 600

no ip split-horizon eigrp 100

delay 1050

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile vpnprof

!

!

interface FastEthernet0/1

ip address 10.251.1.2 255.255.255.0

duplex auto

speed auto

!

router eigrp 100

redistribute ospf 100 metric 1000 1500 255 1 1500 route-map ospf-to-eigrp

network 10.0.2.1 0.0.0.0

no auto-summary

!

router ospf 100

router-id 2.2.2.2

log-adjacency-changes

redistribute eigrp 100 metric 100 subnets route-map eigrp-to-ospf

network 10.253.1.1 0.0.0.0 area 0

!

!

route-map eigrp-to-ospf deny 10

match tag 20

!

route-map eigrp-to-ospf permit 20

set tag 10

!

route-map ospf-to-eigrp deny 10

match tag 10

!

route-map ospf-to-eigrp permit 20

set tag 20

!

Spoke

**************************************************************************

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set setA esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile vpnprof

set transform-set setA

!

!

!

interface Tunnel1

bandwidth 1000

ip address 10.0.1.90 255.255.255.0

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map 10.0.1.1 10.251.1.1

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.1.1

delay 1000

tunnel source FastEthernet0/1

tunnel destination 10.251.1.1

tunnel key 1

tunnel protection ipsec profile vpnprof

!

interface Tunnel2

bandwidth 1000

ip address 10.0.2.90 255.255.255.0

ip mtu 1400

ip nhrp authentication cisco2

ip nhrp map 10.0.2.1 10.251.1.2

ip nhrp network-id 2

ip nhrp holdtime 300

ip nhrp nhs 10.0.2.1

delay 5000000

tunnel source FastEthernet0/1

tunnel destination 10.251.1.2

tunnel key 2

tunnel protection ipsec profile vpnprof

!

!

interface FastEthernet0/1

ip address 10.251.1.90 255.255.255.0

duplex auto

speed auto

!

router eigrp 100

network 10.0.1.90 0.0.0.0

network 10.0.2.90 0.0.0.0

network 10.0.90.1 0.0.0.0

no auto-summary

!