ASK THE EXPERT - CONFIGURING AND TROUBLESHOOTING DMVPN NETWORK

Unanswered Question
Jul 13th, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Mynul Hoda about configuration and troubleshooting of DMVPN network for Enteprise Branch, and MAN/WAN with various transports. Mynul is a technical leader in End to End Enterprise Network Solution Testing team (NSITE) in San Jose, CA. He routinely provides escalation support to his own team and other security support teams, provides training, boot camps and answers customer questions on the Networking Professionals Connection e-community. He writes and reviews documents on the Cisco.com web site and maintains and updates training materials for Security boot camp. His areas of expertise are troubleshooting & configuring Security/VPN technologies like AAA, Firewall, IDS, PPTP, IPSEC, MPLS/VPN, NAC, Segmentation, Guest VLAN, Enterprise network design, Wireless etc.

Remember to use the rating system to let Mynul know if you have received an adequate response.

Mynul might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 27, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sebastan_bach Fri, 07/13/2007 - 15:48

hi mynul great to have u in the forum.

i have configured dmvpn with eigrp as the routing protocol.

the hub eigrp keeps on flapping every now and then and on the spokes in the show eigrp neighbours i don; see anything.

then in the hub router i configure the spoke router;s tunnel ip address as the neighbours and in the spokes routers i configure the hub tunnel ip address as the neighbours.

then everything works fine. can u pls explain this behaviour and why this is so.

regards

sebastan

mhoda Sun, 07/15/2007 - 16:43

Hey Sebastan,

Thanks for asking the first question !

Can you please let me know what HW/Software you are running on the hub and spokes ?

Thx,

Mynul

sebastan_bach Mon, 07/16/2007 - 01:39

hi mynul thanks for ur reply.

i am using 1841 routers with 12.4T ios in them.

when i was using 12.3 mainline on 2610xm series routers i never had to give the neighbour command in eigrp .

is this a ios bug.

pls let me know.

regards

sebastan

sebastan_bach Mon, 07/16/2007 - 01:41

hi mynul i am also planning to integrate ezvpn on the routers into the dmvpn network. but i wan to use certificates for the same.

do u have any configuration example supporting this requirement.

and which ios will be required for the same.

waiting for ur reply.

regards

sebastan

sebastan_bach Tue, 07/17/2007 - 03:36

hi mynul thanks for ur reply and the link.

but i am looking for a reply for the eigrp tunnel flapping . is it also a ios bug.

regards

sebastan

mhoda Tue, 07/17/2007 - 01:41

Sebastan,

I am not aware any bug, but if you provide the exact version information from both hub adn spoke router, I can try it out in the lab, and advise you if its a bug, or you may open up a case with TAC to follow-up on this.

Please, let me know how do you want to proceed.

Thx,

Mynul

roy-sam Sun, 07/15/2007 - 20:05

Hi Mynul,

For a Service Provider environment offering DMVPN services to multiple MPLS customers, do you recommend to use IOS CA on a standalone router or a dedicated MS CA server? How do you achieve High Availability if running on IOS CA?

What is the best practise for managing DMVPN deployment? Using Certificates or RSA nounces? I do not want to use pre-shared keys for the design.

mhoda Wed, 07/18/2007 - 02:23

Hello Roy,

For CA Server, my personal preferenec is to use IOS CA Server. AFAIK, redundant CA server definition is not supported yet as the CA server itself can be offline without affecting the PKI operation. Hence, failover functionality in the IOS CA server has been low priority.

As for authentication, best is to use certificate.

Thanks,

Mynul

giaaaj Mon, 07/16/2007 - 00:43

Hi Mynul

I have too many ( more than 100) site-site ipsec connection. I am using three Cisco Routers 2811 for this purpose. I am using three differnt routers because I have overlapping networks( different sites that use the same address range. Is there any why to to configure IPSEC Site-site VPN with overlapping networks on the same Router.

another question is the a way to use the concept of "Large Scale Dialout Using TACACS+" with IPSEC Site-Site VPN's, i.e to do the configuration on the TACACS+ and download load them when needed.

Thnx

Ali

ricey Tue, 07/17/2007 - 03:31

Hello Mynul,

I am setting up a dmvpn network and wish to use pki instead of wild card pre-shared keys. I have read that Cisco routers will not support certificates where any key length in the certificate chain is over 2048. I have an MS PKI where the offline root cert has a key length of 4096. Does this mean I cannot use this CA hierarchy?

ricey Tue, 07/24/2007 - 04:58

Mynul,

Thanks very much for the update. It appears (according to the doc) that a public key may have a modulus of 4096 however a private key (on a router is still restricted to 2048) As it is only the root CA that has the 4096 key (A windows 2003 server) I think this should be OK. Thanks again for your help.

mhoda Tue, 07/24/2007 - 01:30

Hello Ali,

Answer to your first question is that it should be possible (I haven't personally tried it though, but don't see why it shouldn't work). Can you please refer to the following document to understand the concept and implement that on your routers?

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

I know this document doesn't talk about the routers, but the concept is the same. Please, go through this document, and let me know if there is any confusion on any specifics.

As for your second question, unfortunately the answer is NO.

Regards,

Mynul

kimballw Tue, 07/17/2007 - 10:27

Hi,

Currently we have a DMVPN network with a single 7200 hub and 831 spokes.

We are attempting to provide a redundant link at a seperate site for disaster recovery. We do not want to have a failover situation, we would prefer a load balanced solution. We have been able to make this work until such time as we add firewalls behind the hubs.

The DR site has full connectivity back to the central office as certian services are only served at the central office.

The problem that we have run into is with routing the packets back to the appropriate hub.

Currently the DMVPN is using EIGRP for its routing of the tunnels.

There is no routing between the Hub and the Firewalls just default routes.

mhoda Tue, 07/24/2007 - 02:20

Hello !

A topology diagram can be very helpful here!

If I am reading it correctly, the FWs are behind the Hubs, which means, the traffic that goes through the FW needs to be coming back through the same one. Otherwise, the packets will be dropped. Essentially, you are running into asymetric routing through the FW, which causes problem if you have stateful FW like FWSM, CBAC or ASA. To mitigate that, one option is to setup the FW as Active/Active. Another option would be to make sure the return traffic flows through the same FW with the assist of policy routing.

Please, let me know if you have any question with a logical diagram.

Regards,

Mynul

Anonymous (not verified) Wed, 07/18/2007 - 13:23

Hello Mynul,

I have a dual hub single DMVPN network. The hubs are geographically dispersed with the second hub being at our DR site. The hubs are both 3845 routers running 12.4(12b). EIGRP is used for routing in the network. Occasionally the secondary HUB will lose connectivity with the primary hub but the spokes will remain connected to both. The outage normally lasts for about 1 hour and happens at random intervals, sometimes 1 day, sometimes 5 days in between outages. This has been happening since early 12.4 versions. The thing that brings the connectivity back up is typing "clear crypto sa peer xx.xx.xx.xx" on the secondary hub using the IP address of the primary hub. Any idea what is causing this?

Thanks,

Samuel

mhoda Tue, 07/24/2007 - 03:06

Hey Samuel,

Without looking at any log or show command output, you may be hitting bug - CSCsg90659

Please, check the "Release-note" and see if its a match.

Regards,

Mynul

SNMP and Management Information Base (MIBS)

Hi,

I want to monitor networking devices such as cisco routers,cisco catalyst switches and cisco firewalls.I need to capture four basic things like CPU utilisation,memory utilisation,interface errors & its utilisation.We have various types of routers,switches and also firewalls.These devices supports many series of IOS versions as well as OLD-CISCO-CPU MIB as well as CISCO-PROCESS MIB.So please advice me what is the procedure to findout which n/w device supports which type of MIBS and what is their IOS version.

Waiting for reply.

Regards,

Shanti Ranjan Dash

mhoda Tue, 07/24/2007 - 03:08

Hello There,

Thanks for the question, but this session is focused on DMVPN. Can you please ask the question inder "Network Management" category of this forum ?

Best regards,

Mynul

mlitka Thu, 07/19/2007 - 10:35

Mynul -

Is it possible to use DMVPN with private addresses at the remotes? In other words the Remote hub would NAT out to the Internet? We would like to use this solution in situations where we are sharing Internet connections and the provider will not give us a public IP address.

Anonymous (not verified) Thu, 07/19/2007 - 11:28

mlitka,

I can tell you that it is possible because I am currently doing this at some remotes. As long as the ISP doesn't strangely block any outbound ports, then you should be fine.

Thanks,

Samuel

mlitka Thu, 07/19/2007 - 10:43

Mynul -

Is there a way to restrict intersite traffic between certain sites when using the DMVPN? We have a Provider-based MPLS network and would like to use this as the primary means of communication. Each one of our sites has a backup Site to Site VPN back to our datacenter. When the MPLS circuit fails, the VPN routes kick in. My concern with DMVPN is now we are adding additional routes into the mix, which could cause routing loops, as we run EIGRP on the LAN and VPNs and BGP on the MPLS network.

Please advise.

Thanks,

Mike

giaaaj Mon, 07/23/2007 - 12:17

Hi Mynul

I have too many ( more than 100) site-site ipsec connection. I am using three Cisco Routers 2811 for this purpose. I am using three differnt routers because I have overlapping networks( different sites that use the same address range. Is there any why to to configure IPSEC Site-site VPN with overlapping networks on the same Router.

another question is the a way to use the concept of "Large Scale Dialout Using TACACS+" with IPSEC Site-Site VPN's, i.e to do the configuration on the TACACS+ and download load them when needed.

Thnx

Ali

mhoda Tue, 07/24/2007 - 01:31

Hello Ali,

Answer to your first question is that it should be possible (I haven't personally tried it though, but don't see why it shouldn't work). Can you please refer to the following document to understand the concept and implement that on your routers?

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

I know this document doesn't talk about the routers, but the concept is the same. Please, go through this document, and let me know if there is any confusion on any specifics.

As for your second question, unfortunately the answer is NO.

Regards,

Mynul

forbest Thu, 07/26/2007 - 08:18

Hi Mynul-

We would like to do phase 3 DMVPN with VRFs running a mixture of IPV4 and IPV6 and using GRE as the extension of the MPLS environment.

What are the scalability issues with scaling to about 100 nodes?

Do you have any suggestions?

Thx.

-T

mhoda Fri, 07/27/2007 - 09:49

Hello Matt,

Not yet ! This is on the road map. So, please stay tuned.

Regards,

Mynul

Actions

This Discussion