DMVPN and DPD

Unanswered Question
Jun 5th, 2010
User Badges:

We are implementing IPSEC in all branches.IP Sec we are using dynamic multipoint VPN in which all remote branches initiate IPsec and Isakmp negotiation whenever finacle intresting traffic hits the router and its sucessfully create Phase 1 and 2 session


For DPD we are using on demand polling i.e whenever traffic come, other side availaibilty is checked.


This creates  problem  when link goes down at remote end ,the core end check availaibilty and clear the session.but at remote end crypto interface goes down ,doesn't clear the session.When link come up session remains on remote end,but cleared at core end.Due to which branch is not able to work.We have to execute clear crypto session,isakamp at remote end to renegotiate the crypto session.To rectify the issue we are putting invalid spi-recovery command on both remote and core end.


But still issue's persisting,session remains on one end and cleared at other end.Secound issue is that branch not able to work whenever branch working on backup interface that does'nt have crypto map command.


To resolve these issues we are thinking to implement periodic polling at both core and remote end.

crypto isakmp keepalive 60 periodic


We have 7206vxr with SA-VAM2+ core and cisco1841 at remote end,around 2700 branches


Kindly advise us that

1)periodic polling is feasible for 2700 branches i.e not cpu intensive.


2)What will be the suitable approx frequency of polling


3)Can we start periodic polling on core and then move to remote branch by branch i.e it is unidirectional


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Sat, 06/05/2010 - 02:14
User Badges:
  • Cisco Employee,

ad.1 periodic DPD will be more CPU intensive then on demand ones. But I have not seen high CPU due to them unless debugging was turned on and timer very aggressive (10-15 seconds).


ad. 2. 30 seconds is a very good interval. I would honestly go further down only if there is some sort of SLA and IPsec is the deciding factor.


ad 3. Yes, you can do it. However based on your scenario I would leave on demand DPDs on core and enable them on branches.



On a higher level. Invalid SPIs are they way to go.


The problem itself is a bit funky, if line protocol goes down on the interface we have in "tunnel source" I would also expect some reaction from crypto subsystem. Can you share your configuration for tunnel interface for one of the branches and sw version


Marcin

Actions

This Discussion