URGENT : Monitoring DMVPN tunnel

Unanswered Question
Jan 15th, 2009
User Badges:

Hi Friends,

Is there any way to monitor DMVPN tunnel. I have a DMVPN tunnel configured but the problem is even if the internet link is down, the tunnel does show UP. I initially tested by using keepalives but the tunnel used to go down even if it up. Later a cisco article read that keepalives be used only on point to point gre tunnels and not dmvpn tunnels. Appreciate your suggestions.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rakeshccip Fri, 01/16/2009 - 02:41
User Badges:

Because of the DMVPN combination of multiple features working together (IPSec, IKE, GRE, NHRP, routing), the commands used to monitor

these features are mainly used to monitor DMVPN. Some examples of commands are show crypto session, show ip nhrp, show

crypto isakmp sa, show ip route, and show ip eigrp neighbors.

Also using SDM, monitor DMVPN tunnels in the monitor mode-> VPN Status -> DMVPN tunnels.

Manoj Wadhwa Mon, 01/19/2009 - 21:21
User Badges:

Hi Rakesh,

Actually, i want to monitor in such a way that if the tunnel goes down, i can proactively know it by an alert in our remote monitoring tools. Currently our monitoring tool is not able to detect the tunnel because the tunnel interface does not go down ... as a work around, we have implemented a new point-point gre tunnel just for monitoring .. and we testing it wo be working fine ... but if the no. of sites are huge, this is a cumbersome solution. We would like to know if there are any other feasible alternatives than this. Thanks again.



Joseph W. Doherty Tue, 01/20/2009 - 06:28
User Badges:
  • Super Bronze, 10000 points or more

Two ideas that come to mind, although whether they might work easily would depend much on you monitoring tool.

First, you might be able to SNMP poll NHRP on the hub and watch the far side tunnel addresses. (If this could be done, monitoring would work best if it "remembered" the NHRP address cache, watching for lost addresses.)

Second, you could define SLA to remote addresses and watch them.


This Discussion