Re: Dual DMVPN Layout - Routing and tunnel issue - Page 2

gauthier · ‎03-24-2004

Good day,

We have setup a single dmvpn layout. This did work well at the time. Since we didn't have any flexibility in managing priority routing (using bandwidth for eigrp) we decided to migrate to a DUAL DMPVN LAYOUT.

This, we have issue. It either doesn't bring both tunnel (see below for the configuration) only the first one gets connected correctly.

After research I tried using the tunnel destination configuration instead of the dynamic maping at the spoke locations.

This do eliminate the confusion of tunnel. Tunnels do comes up and routing becomes up to speed. The problem with this, we loose the dynamic feature between spoke locations. No tunnels are done directly between spoke to spoke when required...which is why we needed DMVPN in the begining.

By the way we use version 12.3.6 (2600XM and 7200)

Does anyone have some input on how I could get a dual DMVPN layout working correctly and keep the spoke to spoke tunneling feature ???

Take note that we need to be able to priorities routing (eigrp) at the spokes locations going to the HUBs.

I did look everywhere I could in the Cisco site, but I cannot find anything that solves my issues.

See attachement for the configs

qnguyen8 · ‎04-30-2004

I had a problem with having a mGRE tunnel and a p2p GRE tunnel and found that there is a shared keyword on the tunnel protection command you apply to the tunnel interface.

tunnel protection ipsec profile shared

This allows the other tunnel to be created without associating itself to the first tunnel. Without the shared option, when I did a show crypto sockets, I saw the p2p GRE tunnel trying to originate itself with the mGRE tunnel. Worth a try, it worked for me.

Also, I would just use the delay on the interface to set preferred routes.

From CCO:

Using AD is less preferable than the others; it can increase the potential for routing loops, for the following reasons:

Administrative distance is generally used to determine by which method a route was learned. If set incorrectly, the individual router could choose a redistributed route over the actual best path.

Administrative distance is not propagated to other routers. Routing protocols rely on the fact that all routers will choose the same path given the same set of parameters. Altering parameters on a single router can lead to routing loops.

wong.jason · ‎05-01-2004

Just wondering ? Could you share your configuration ? Thanks. Do any of you use ISAKMP Keepalive and Tunnel keepalive in your setup ? If so, what values do you use ? I'm only using ISAKMP keepalives because of some problems with tunnels drops not being detected at the hub.

I'm using 12.2.15T11 and it doesn't have the shared parameter and I'm not keen on upgrading due to some earlier problems I have with 12.3.6 where ALL the tunnels starts to drop.

qnguyen8 · ‎05-02-2004

I have 12.3.6a running on about 20 2621XMs and my hub 7204 and haven't had any problems. I have AIM-VPN modules and earlier code was causing routers to reload.

My keepalives are set to 10 and 5. Kind of frequent but, works for me. I'm using them because when I reloaded the hub, it took forever for tunnels to timeout and come back up.

Attached are the tunnel configs off the hub and spoke.

wong.jason · ‎05-03-2004

Thanks. What keepalives are you using ? I'm only doing ISAKMP keepalives 20 10, but I'm wondering if I should adjust these further and also exploring the Tunnel keepalives and IPSEC keepalives.

I'm using 12.2.13T , tried to upgrade to 12.2.15T and encounter SegV problem every 10-15 mins. The shared keyword isn't avialable for the 12.2.15T versions.

Are you doing dual hub ? That's something that I need to look at.

qnguyen8 · ‎05-04-2004

I'm just using isakmp keepalives set at 10 5, no GRE keepalives. 20 10 is fine just takes a little linger to tear down tunnels. Had a bunch of SegV problems also when I first implemented it. I was on 12.3.5.7T interim code then went to 12.3.6a. Haven't ran to any problems yet, knock knock.

I have a dual hub in a single DMVPN layout just for redundancy. Didn't see a need for a dual layout unless I wanted to load balance sites across different tunnels.

wong.jason · ‎05-10-2004

I've tried 12.3.6a and the tunnels all drops after a while and doesn't established when I turn on mGRE at the spoke.This is the same even though I'm using a single hub. I check the bug track and it suggest that this is due to asymmetric routing but I'm only having a single hub. "show crypto isakmp sa" shows nothing and tunnels isn't established. Routes don't show up in the routing table.

I'm using 1721 at the spoke. 12.3.6a at the hub works fine. Are you using EIGRP ?

sergej.gurenko · ‎05-20-2004

New document from Cisco awalable:

Dynamic Multipoint VPN Spoke-to-Spoke Functionality Technical Presentation (PDF)

May/2004

http://www.cisco.com/warp/public/732/Tech/security/

http://www.cisco.com/warp/public/732/Tech/security/ipsec/docs/dmvpntechnical.pdf

wong.jason · ‎05-30-2004

It's a new presentation, but don't seems to have any new information .

wong.jason · ‎06-08-2004

What is interesting is that it appear to suggest that DMVPN Spoke to Spoke is only possible with 12.3.8T but nothing to say what has changed to make it possible. Anybody knows anything about this ?