I have a setup (see drawing) where I have
dual ISP links at branch end, with with wireless and another with 3G,
Wireless should always be the primary path, when it is working (it is a ship so when it is in harbor)
If I use OSPF then it works fine the failover, but as soon as I enable IPSEC on the tunnel, then it will only failover once, and it will not failover to the primary again, without rebooting the router, and then it works for one failover again.
I'm using tracking also, since there is no interfaces there is going down
Are there anyone there have a working config, where ec. in the headend (normal setup) there is dual ISP links to the same router or ofcause the same as I have.
I'm willing to use any kind of protocols to get it to work, so RIPv2 (preferred), EIGRP, OSPF, tracking, IP SLA
here is working, "multiple spokes/hubs with multiple ISPs to multiple spokes/hubs with multiple ISPs" example ( MSHWMI-2-MSHWMI :] )
techs used: dmvpn, ipsec, vrf, bgp (mostly for inter-vrf route redistribution (route-leaking)) (you can also use some IGP routing and redistribute its routes with BGP-inter-vrf-only for zero-touch configuration)
because of BGP is only routing protocol i used here, it is not 'zero-touch'-configurable, sorry. BGP - the best!
Thanks for the clarification !! I think you don't need to hide this address anymore ;-)
If the remote is using the wrong source address for tunnel 1, it's a bug.
Can you try the following on the remote:
- Configure another profile IPSec (with the same parameters as the first one) with a different name, and applied it to tunnel 1.
- Try the lattest version
When you have the issue, try clearing the SA instead of rebooting (clear crypto isakmp sa and clear crypto sa).
You can debug IPSec with the following commands: debug crypto isakmp and debug crypto ipsec.
Run them before shutting down the primary link and see how the remote try to build IPSec tunnel1 and then clear all the SA's.
Who is 22.214.171.124 ?
The Hub peer address is 126.96.36.199 so can you ping this address when the primary link is down ?
Also it seems you can have IPSec tunnel 0 UP but not tunnel 0 and tunnel 1 at the same time. Verify you have the shared keyword on the hub router as you are using the same source IP address for both IPSec tunnel.
This message means the IKE database between the two routers are out of sync but should recover on its own.