08-03-2010 12:29 AM - edited 02-21-2020 04:46 PM
Hello experts ,
Our client has 40 branch offices with cisco 1841 routers connected to head office(HUB) with two Cisco 3845 routers ,every branch has two different connection to the hub ,one connection through fiber optic the other through point to multipoint E1 leased lines ,one of the hub routers connected to leased lines with E1s the other connected with fiber optic ,we use DMVPN on fiber backbone with ipsec ,for redundancy we use OSPF protocol ,bellow you can see DMVPN configurations ,but the problem is that after the configuration everything goes well but after passing one day or less suddenly everything (traffic) on tunnel interfaces would be disconnected ,after removing tunnel 1 interfaces and again configure it with the same configuration as before everything works well again just for 1 day,I also disconnect 38 branches from fiber optic but the problem still exists,do you have any idea \\about the situation ?I'm thinking about migrating to point to point tunnel interfaces !!!
HUB
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key ****address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile dmvpnprofile
set transform-settrans2
interface Tunnel1
description connection to spokes
bandwidth 10000
ip address 172.31.8.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication *****
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source 172.31.0.1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprofile
!
interface Loopback0
ip address 172.31.12.2 255.255.255.255
!
interface GigabitEthernet0/0
description lan connected
ip address 172.30.0.2 255.255.255.240
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Fiber Optic Backbone
ip address 172.16.253.10 255.255.255.0 secondary
ip address 172.31.0.1 255.255.255.0 secondary
ip address 172.20.26.1 255.255.0.0
duplex half
speed auto
media-type rj45
no cdp enable
!
router ospf 10
log-adjacency-changes
redistribute connected subnets
redistribute static metric-type 1 subnets
network 172.30.0.0 0.0.0.15 area 0
network 172.31.8.0 0.0.0.255 area 0
network 172.31.12.2 0.0.0.0 area 0
default-information originate
!
router rip
version 2
network 172.20.0.0
network 192.168.1.0
network 192.168.25.0
network 192.168.30.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.254.1
.
.
.
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key ***** address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile dmvpnprofile
set transform-set trans2
!
!
!
!
interface Loopback0
ip address 172.31.12.29 255.255.255.255
!
interface Tunnel1
description connection to hub
bandwidth 10000
ip address 172.31.8.29 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication *****
ip nhrp map multicast 172.31.0.1
ip nhrp map 172.31.8.1 172.31.0.1
ip nhrp network-id 100000
ip nhrp nhs 172.31.8.1
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprofile
!
interface FastEthernet0/0
ip address 192.168.36.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
Description fiber optic interface
ip address 172.31.0.29 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.31.4.70 255.255.255.252
encapsulation ppp
load-interval 30
no fair-queue
.
.
.
router ospf 10
log-adjacency-changes
network 172.31.4.70 0.0.0.0 area 0
network 172.31.8.0 0.0.0.255 area 0
network 172.31.12.29 0.0.0.0 area 0
network 192.168.36.0 0.0.0.255 area 2
08-03-2010 01:27 AM
just wanted to know as to why you are using the secondary ip as tunnel source, why not the
primary physical interface ip
can you try using the 172.20.26.1 on the hub for tunnel source
08-03-2010 01:33 AM
Becuase they have some other connections on fiber backbon ,and I design 172.31.28.0 subnet for tunnels ,also try this configuration on lab routers ,i mean with secondary ip addresses there was no problem!
08-03-2010 06:17 AM
can you collect some debugs when the dmvpn stops working, collect it on spoke and hub and use
also when this happens again try clear the tunnels instead of removing tunnel config and putting it back, you can also try shut and no shut on tunnel interface
08-03-2010 01:16 PM
Hi,
I must remove the tunnel and configure it again,shut and no shut had no effect at all i'v also used clear crypto session and clear ip nhrp commands but they had no effect ,for debugging purpose i dont know exactly when the tunnel would be stop work to issu debug commands,any idea ?
08-03-2010 11:49 PM
do you see any pattern as to approx what time the tunnel goes down
also collect the debugs before you wipe the tunnel config and put it back, that should be good enough as it will tell whts happening
08-06-2010 01:19 PM
hi jathaval ,
As our clients complained about their link inefficiency and lack of bandwidth, i had to change tunnel types to point to piont GRE + IPsec tunnels ,and I removed NHRP configuration completely ,until now (3 days past)they don't have any problems ,have u ever seen this kind of problems with DMVPNs ?does scale matters to DMVPN tunnels?
Tnx
08-08-2010 10:30 AM
Hi,
even with point to point GRE + IPSec tunnels again we got the exact same problem,on spokes OSPF couldn't make adjacencies,they stuck in INIT state ,but when I remove tunnel protection ipsec profile dmvpnprofile from tunnels and shut them down and back them all everything worked good,on spokes !!!is there anything relates to IPSec ?what debugging commands do u suggest ?
08-08-2010 10:11 PM
try the following
debug crypto isakmp
debug crypto ipsec
debug crypto socket
08-16-2010 09:55 AM
Hi Jathaval ,
in attachment i did dubug commands that u said and capture the results
08-17-2010 05:38 AM
Try changing your MTU to 1400 and use the ip tcp adjust-mss 1360 both on the tunnel interface, we had a similar problem in the past. Then, if your packet can't get fragmented, just clear the DF-bit. Don't you need a tunnel destination as well? I'm pretty sure your multicast statement in the tunnel takes care of that, but try the tunnel destination instead.
Also, you might want your site to be considered stub by your routing protocol.
08-18-2010 12:26 AM
Hi Fred ,
I did your suggestions but the problem still exist ...
Tnx
08-18-2010 02:41 AM
Hi
I would like you to check following things on your Hub and Spoke
I would also suggest to terminate half of your Point to Point lines to one router and rest on second. And same way configure your Point to Multipoint links. This will give you resiliency in event if one of the box's fail completly.
Cheers
Deepak Khemani
08-24-2010 09:22 PM
Hi guys ,
The problem was solved by upgrading the IOS version to c3845-adventerprisek9-mz.124-17.bin ,I think it was kind of bug or something in IOS version 123-11.T2
Thanks anyway ,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: