Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1764
Views
0
Helpful
1
Replies

DMVPN Spoke failover

jayhawk11
Level 1
Level 1

‎05-11-2010 09:50 PM - edited ‎02-21-2020 04:38 PM

All,

I am trying to implement a spoke failover into a DMVPN setup and it is taking an unacceptable 10 minutes. I am currently using a Cisco 2821 with an AIM VPN card as the hub router and Cisco 831s as the spoke routers.

Instead of using two ISP connections, I'm trying to get this working with a Peplink Balance WAN failover. Some of my end sites are way off in the boonies and will be using a wireless USB card as a backup ISP connection - something the Peplink supports. So far the Peplink is working the way it should: the main connection will failover to the secondary connection; the primary will take back over once it re-establishes itself.

The problem I'm having is with the DMVPN reconverging. Here's what I've tried and what I've noticed:

After the Peplink switches to a different provider, the spoke command, "show crypto session", shows that the IPsec tunnel will not relinquish to the new "Active" ISAKMP tunnel. These are on two different ports.

Interface: Tunnel1
Session status: DOWN
Peer: 24.1xx.1x.1xx port 500
  IPSEC FLOW: permit 47 host 192.168.2.2 host 24.124.17.129
        Active SAs: 0, origin: crypto map

Interface: Tunnel1
Session status: UP-IDLE
Peer: 24.124.17.129 port 4500
  IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Active
  IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Inactive

This problem clears up after 10 minutes. This seems to correspond with the NHRP configuration. The expiration of an "ip nhrp detail" is also 10 minutes.This results in the following on the spoke:

Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 24.1xx.1x.1xx port 4500
  IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Active
  IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Inactive
  IPSEC FLOW: permit 47 host 192.168.2.2 host 24.1xx.1x.1xx
        Active SAs: 2, origin: crypto map

I've tried the following modifications without any luck:

I changed the "ip nhrp registration no-unique"

I changed the "ip nhrp holdtime 15"

Right now we do not have an elegant solution for two diverse, non 3g / cellular, ISP connections or else I would upgrade to the 1841s and setup two tunnels to the hub.

I've been really impressed with the DMVPN technology, so I'm hoping there's I can design the functionality that I'm looking for. Any help that you can offer is greatly appreciated!

Thanks!

-Mike

Labels:
0 Helpful
1 Reply 1

jayhawk11
Level 1
Level 1

‎06-14-2010 07:24 PM

All,

I was able to figure out the previous issue. I had to wait to get a duplicate environment setup before testing a very simple change - go figure.

The line to add to each router is:

crypto isakmp keepalive 10 periodic

This enables dead peer detection on both sides of the link. This decreased the downtime from 10 minutes to 30 seconds with the Peplink Balance 30 product.

If continually run

show ip nhrp detail

you'll see the ISAKMP session clear after 20-25 seconds. Within another 5 seconds or so you'll see the session startup again.

Hope this helps!

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents