I am having little problem concerning a site-to-site VPN tunnel and I am hoping someone could help me out.
In my network we have one HQ and one Branchoffice.
The HQ has got two routers, each connected to the internet and configured with VRRP for failover to the second internet connection
VRRP is setup so that it prefers one router, and tracks the WAN interface of that router so when it comes online again VRRP automatically switches back.
My branchoffice has got a DMVPN multipoint tunnel to both routers. (Dual hub single cloud)
When I kill the primary WAN connection of the HQ, VRRP almost immediately switches over to the secondary router (which is perfect).
And when I reconnect the primary WAN connection, it also switches back perfectly.
When I disconnect the primary WAN and immediately reconnect it (like a flap), the tunnel doesn't work anymore.
It needs to wait until the ISAKMP keepalive timer expires, (which is like 20 seconds at minimum, can't tweak this any less) and then it works again.
After those 20 seconds the tunnel is buildup again, and the neighbourship restores and everything works nice and dandy.
But I wonder does it have wait for the keepalive?
Is there no way the let the tunnel automatically work again when I plug the cable back again?
Any help would be very much appreciated
If NEITHER of the sides of the tunnel detects that the other side is down there is no reason no to use previous SPIs and wait for IKE to do it's job.
Now what I THINK is the problem is the crypto socket which MIGHT get shut down when you flap the interface.
You can compare "show crypto socket" output before and after the flap if you're still interested in trying.
If you want full fledged investigation - I think it's better to open up a TAC case.
Also - does this problem persists if you source DMVPN tunnels from loopback?
You will NOT have this issue if you have DMVPN using loopback interface. Loopback interface is "independent" of the WAN connection when you have redundant WAN connection.