DMVPN with EIGRP routing issue

Unanswered Question
Aug 17th, 2010

Hello,

We have DMVPN in hub-n-spoke model.  Hub has redundant Internet connections, a T1 and cable.  Some of the remotes also have redundant Internet access, a primary and backup.

Tunnel 10 on hub and spokes is used for back up.  Tunnel 20 is used as primary.  Spoke are configured to prefere routes they learned from tunnel 20.  When tunnel 20 is up on both sides, all works well.

however, when we take down tunnel 20 on a spoke, I see NHRP, NHS, and EIGRP relationship as they should be.   Routing table on the spoke is populated using routes learned over tunnel 10 and routing between two routers, hub and spoke, is in place.

Each router has a switch connected.  Problem is we can no loger get to far end switch over tunnel 10.  debugging shows that switch connected to hub router receives and replies to pings from switch at spoke site, but the replies do not make their way back.  Echo-replies are forwarded from hub switch to hub router but they never make it way back to spoke switch.

Any ideas?

Thanks,

Paresh.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lei Tian Tue, 08/17/2010 - 20:26

Hi Paresh,

Does the hub side learn spoke's network via tunnel 10 after shut down spoke's tunnel 20?

HTH,

Lei Tian

pkpatel Tue, 08/17/2010 - 20:28

Hi Lei Tian,

Yes hub does learn routes to spoke over tunnel 10.

Thanks,

Paresh.

Lei Tian Tue, 08/17/2010 - 20:40

Then spoke router should be able to receive it via tunnel 10. Will it work if you ping from the spoke router and source from the interface connecting the switch? Do you see any problem with the number of packets been encrypt and decrypt?

HTH,

Lei Tian

pkpatel Wed, 08/18/2010 - 08:39

Hello Lei Tian,

IPSec does not drop any packets either. When I ping from remote switch or interface on spoke router that connects to switch, I can ping hub router and hub router's interfaces that connect to hub switch.

Thanks,

Paresh.

Lei Tian Wed, 08/18/2010 - 09:13

Hi Paresh,

To make it eaiser, let's draw a simple diagram.So, you are able to ping 2.2.2.1 from 1.1.1.1, but not 2.2.2.2 from 1.1.1.1? Can you post the output of "show ip route" and "show cry ipsec sa" from hub router?

  hub_sw

  (2.2.2.2)

        |

        |

  (2.2.2.1)

hub_router

        |

        |

   Internet

        |

        |

Spoke_router

  (1.1.1.1)

       |

       |

(1.1.1.2)

Spoke_sw

HTH,

Lei Tian

Actions

This Discussion