DMVPN Dual Hub Failover

Unanswered Question
Nov 30th, 2009

We are replacing all old IPSEC VPN tunnels with DMVPN.

We want to have  two dual hubs and mutliple spoke.  We have EIGRP
running on the hubs and then redistributing into OSPF.

This is the issue.

We have one hub as primary and one hub as secondary.

Everything works fine, but we've been running into an issue when one
of the primary hub goes down and comes back up, the amount of time it
takes for a spoke to see it is not consistent.

It goes anywhere from 2 seconds to 10 mins.


Besides that, everything works fine.


Is this by design?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Mon, 11/30/2009 - 13:06

Hi Jon,


Do you have this command configured:


crypto isakmp keepalive 10


To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.


http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1046605


This may be a reason for long convergence time


HTH

Reza

Jonathan Quinones Mon, 11/30/2009 - 13:57

Thanks for the reply Reza.


I have this in my configuration on both hubs.


It's very weird.


I can not get it to give me the same results consistently.  It does work, but it's a matter of time as to when it will switch back.  I do not know if this is the natural behavior of this setup.  I highly doubt it.


Everything else seems to work fine.


Someone I know had the same issue and just used one hub, which I'm trying to avoid at the moment.


Anymore information would be greatly appreciated.


Thanks!

Actions

This Discussion