Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Dual hub dual cloud dmvpn using ospf and HA issue

Hi all,

I am configuring the DUAL HUB Dual Cloud DMVPN topology using ospf.  we have one L2 link and one L3 link at each hub and each brach router have  two L2 links and two L3 links for redundancy to achieve HA.

Attached is the configuration of Hubs and a spoke router, the problem i am facing is that

1>The ospf in DMVPN cloud flaps every time the dead timer expires.

2>When the primary Hub is shut down the job is overtaken by secondary hub but when primary hub comes back, the ospf in primary hub does not establish immediately(take long time even an hour).

Comments
Community Member

Dual hub dual cloud dmvpn using ospf .jpg

Community Member

Above is the topology diagram and following is the configuration.

HUB 1:-

--------------------------------

--------------------------------

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CUST@#vpn4all address 0.0.0.0       

!

!

crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac

!

crypto ipsec profile CUST-PROFILE

set transform-set CUSTSET

!

!

interface Loopback0

description "LOOPBACK"

ip address 192.168.254.254 255.255.255.255

ip ospf 10 area 0

!        

interface Tunnel0

description "CUST-L2-TUNNEL"

bandwidth 4000

ip address 10.10.10.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 100

ip ospf 10 area 1

tunnel source 172.16.10.20

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

interface Tunnel1

description "CUST-L3-TUNNEL"

bandwidth 3000

ip address 10.10.11.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100001

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 200

ip ospf 10 area 1

tunnel source xxx.xxx.205.142

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

!

interface GigabitEthernet0/0

description "ISP L2"

ip address 172.16.10.20 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "ISP L3"

ip address xxx.xxx.205.142 255.255.255.0

duplex auto

speed auto

!

!

interface Vlan10

description "CUST-BTR-LAN"

ip address 172.16.16.3 255.255.255.248

ip ospf 10 area 0

vrrp 1 ip 172.16.16.1

vrrp 1 timers advertise 3

vrrp 1 timers learn

vrrp 1 priority 120

vrrp 1 authentication admin123

!

router ospf 10

router-id 192.168.254.254

area 1 stub no-summary

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel0

no passive-interface Tunnel1

no passive-interface Vlan10

!

ip forward-protocol nd

!

HUB 2:-

-------------------------------------------

-------------------------------------------

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CUST@#vpn4all address 0.0.0.0       

!

!

crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac

!

crypto ipsec profile CUST-PROFILE

set transform-set CUSTSET

!

!

interface Loopback0

description "LOOPBACK"

ip address 192.168.254.253 255.255.255.255

ip ospf 10 area 0

!        

interface Tunnel2

description "CUST02-L2-TUNNEL"

bandwidth 2000

ip address 10.10.12.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100002

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 300

ip ospf 10 area 1

tunnel source 172.16.11.20

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

interface Tunnel3

description "CUST02-L3-TUNNEL"

bandwidth 1000

ip address 10.10.13.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100003

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 400

ip ospf 10 area 1

tunnel source xxx.xxx.217.239

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

interface GigabitEthernet0/0

description "ISP L2"

ip address 172.16.11.20 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "ISP L3"

ip address xxx.xxx.217.239 255.255.255.0

duplex auto

speed auto

!

!

interface Vlan10

description "CUST-BTR-LAN"

ip address 172.16.16.4 255.255.255.248

ip ospf 10 area 0

vrrp 1 ip 172.16.16.1

vrrp 1 timers advertise 3

vrrp 1 timers learn

vrrp 1 priority 110

vrrp 1 authentication admin123

!

router ospf 10

router-id 192.168.254.253

area 1 stub no-summary

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel2

no passive-interface Tunnel3

no passive-interface Vlan10

!

ip forward-protocol nd

!

SPOKE:-

-------------------------------------------------

-------------------------------------------------

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CUST@#vpn4all address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac

!

crypto ipsec profile CUST_PROFILE

set transform-set CUSTSET

!

!

interface Loopback0

description "LOOPBACK"

ip address 192.168.254.246 255.255.255.255

ip ospf 10 area 1

!

interface Tunnel0

description ***L2-Tunnel***

bandwidth 4000

ip address 10.10.10.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.10.1 172.16.10.20

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.10.10.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 100

ip ospf 10 area 1

tunnel source 172.16.10.15

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

interface Tunnel1

description ***L3-Tunnel***

bandwidth 3000

ip address 10.10.11.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.11.1 xxx.xxx.205.142

ip nhrp network-id 100001

ip nhrp holdtime 360

ip nhrp nhs 10.10.11.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 200

ip ospf 10 area 1

tunnel source xxx.xx.43.184

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

interface Tunnel2

description ***L2-Tunnel 2ND***

bandwidth 2000

ip address 10.10.12.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.12.1 172.16.11.20

ip nhrp network-id 100002

ip nhrp holdtime 360

ip nhrp nhs 10.10.12.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 300

ip ospf 10 area 1

tunnel source 172.16.11.15

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

interface Tunnel3

description ***L3-Tunnel 2ND***

bandwidth 1000

ip address 10.10.13.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.13.1 xxx.xxx.217.239

ip nhrp network-id 100003

ip nhrp holdtime 360

ip nhrp nhs 10.10.13.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 400

ip ospf 10 area 1

tunnel source xxx.xxx.223.48

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

!

interface GigabitEthernet0/0

description "ISP L2"

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1304

description "ISP L2 1ST"

encapsulation dot1Q 1304

ip address 172.16.10.15 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/0.1305

description "ISP L2 2ND"

encapsulation dot1Q 1305

ip address 172.16.11.15 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/1

description "ISP L3"

ip address xxx.xx.43.184 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

description description "ISP L3 2ND"

ip address xxx.xxx.223.48 255.255.255.0

duplex auto

speed 100

!

interface GigabitEthernet0/1/0

description "CUSTSID LAN"

switchport access vlan 10

no ip address

!

!

interface Vlan10

description "CUSTSID LAN"

ip address 192.168.143.1 255.255.255.0

ip ospf 10 area 1

!

router ospf 10

router-id 192.168.254.246

area 1 stub no-summary

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel0

no passive-interface Tunnel1

no passive-interface Tunnel2

no passive-interface Tunnel3

no passive-interface Vlan10

!

ip forward-protocol nd

!

Community Member

Hi all,

I have identified the ospf flap problem, the reason behind the flap was that the HUBs are not replying multicast hello requested by spoke, which was solved by changing the "ip nhrp map multicast dynamic" at spoke to "ip nhrp map multicast hub-physical-ip-address"

changes made in spoke are:-

!

int tun 0

no ip nhrp map multicast dynamic

ip nhrp map multicast 172.16.10.20

!

int tun 1

no ip nhrp map multicast dynamic

ip nhrp map multicast xxx.xxx.205.142

!

int tun 2

no ip nhrp map multicast dynamic

ip nhrp map multicast 172.16.11.20

!

int tun 3

no ip nhrp map multicast dynamic

ip nhrp map multicast xxx.xxx.217.239

!

But problem 2 is still there, any suggestions and solutions are highly appreciated.

Community Member

Hi all,

The problem has been solved now by adding crypto keepalive timer and if-state nhrp at spokes. So finally working configuration as as follows.  ENJOY!!!!!

HUB 1:-

--------------------------------

--------------------------------

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CUST@#vpn4all address 0.0.0.0  

crypto isakmp keepalive 30 5    

!

!

crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile CUST-PROFILE

set transform-set CUSTSET

!

!

interface Loopback0

description "LOOPBACK"

ip address 192.168.254.254 255.255.255.255

ip ospf 10 area 0

!        

interface Tunnel0

description "CUST-L2-TUNNEL"

bandwidth 4000

ip address 10.10.10.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 100

ip ospf 10 area 1

tunnel source 172.16.10.20

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

interface Tunnel1

description "CUST-L3-TUNNEL"

bandwidth 3000

ip address 10.10.11.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100001

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 200

ip ospf 10 area 1

tunnel source xxx.xxx.205.142

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

!

interface GigabitEthernet0/0

description "ISP L2"

ip address 172.16.10.20 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "ISP L3"

ip address xxx.xxx.205.142 255.255.255.0

duplex auto

speed auto

!

!

interface Vlan10

description "CUST-BTR-LAN"

ip address 172.16.16.3 255.255.255.248

ip ospf 10 area 0

vrrp 1 ip 172.16.16.1

vrrp 1 timers advertise 3

vrrp 1 timers learn

vrrp 1 priority 120

vrrp 1 authentication admin123

!

router ospf 10

router-id 192.168.254.254

area 1 stub no-summary

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel0

no passive-interface Tunnel1

no passive-interface Vlan10

!

ip forward-protocol nd

!

HUB 2:-

-------------------------------------------

-------------------------------------------

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CUST@#vpn4all address 0.0.0.0

crypto isakmp keepalive 30 5       

!

!

crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile CUST-PROFILE

set transform-set CUSTSET

!

!

interface Loopback0

description "LOOPBACK"

ip address 192.168.254.253 255.255.255.255

ip ospf 10 area 0

!        

interface Tunnel2

description "CUST02-L2-TUNNEL"

bandwidth 2000

ip address 10.10.12.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100002

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 300

ip ospf 10 area 1

tunnel source 172.16.11.20

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

interface Tunnel3

description "CUST02-L3-TUNNEL"

bandwidth 1000

ip address 10.10.13.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp network-id 100003

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 400

ip ospf 10 area 1

tunnel source xxx.xxx.217.239

tunnel mode gre multipoint

tunnel protection ipsec profile CUST-PROFILE

!

interface GigabitEthernet0/0

description "ISP L2"

ip address 172.16.11.20 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "ISP L3"

ip address xxx.xxx.217.239 255.255.255.0

duplex auto

speed auto

!

!

interface Vlan10

description "CUST-BTR-LAN"

ip address 172.16.16.4 255.255.255.248

ip ospf 10 area 0

vrrp 1 ip 172.16.16.1

vrrp 1 timers advertise 3

vrrp 1 timers learn

vrrp 1 priority 110

vrrp 1 authentication admin123

!

router ospf 10

router-id 192.168.254.253

area 1 stub no-summary

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel2

no passive-interface Tunnel3

no passive-interface Vlan10

!

ip forward-protocol nd

!

SPOKE:-

-------------------------------------------------

-------------------------------------------------

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CUST@#vpn4all address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 30 5

!

!

crypto ipsec transform-set CUSTSET esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile CUST_PROFILE

set transform-set CUSTSET

!

!

interface Loopback0

description "LOOPBACK"

ip address 192.168.254.246 255.255.255.255

ip ospf 10 area 1

!

interface Tunnel0

description ***L2-Tunnel***

bandwidth 4000

ip address 10.10.10.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.10.1 172.16.10.20

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.10.10.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 100

ip ospf 10 area 1

if-state nhrp

tunnel source 172.16.10.15

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

interface Tunnel1

description ***L3-Tunnel***

bandwidth 3000

ip address 10.10.11.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.11.1 xxx.xxx.205.142

ip nhrp network-id 100001

ip nhrp holdtime 360

ip nhrp nhs 10.10.11.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 200

ip ospf 10 area 1

if-state nhrp

tunnel source xxx.xx.43.184

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

interface Tunnel2

description ***L2-Tunnel 2ND***

bandwidth 2000

ip address 10.10.12.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.12.1 172.16.11.20

ip nhrp network-id 100002

ip nhrp holdtime 360

ip nhrp nhs 10.10.12.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 300

ip ospf 10 area 1

if-state nhrp

tunnel source 172.16.11.15

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

interface Tunnel3

description ***L3-Tunnel 2ND***

bandwidth 1000

ip address 10.10.13.7 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication CUSTVPN

ip nhrp map multicast dynamic

ip nhrp map 10.10.13.1 xxx.xxx.217.239

ip nhrp network-id 100003

ip nhrp holdtime 360

ip nhrp nhs 10.10.13.1

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 400

ip ospf 10 area 1

if-state nhrp

tunnel source xxx.xxx.223.48

tunnel mode gre multipoint

tunnel protection ipsec profile CUST_PROFILE

!

!

interface GigabitEthernet0/0

description "ISP L2"

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1304

description "ISP L2 1ST"

encapsulation dot1Q 1304

ip address 172.16.10.15 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/0.1305

description "ISP L2 2ND"

encapsulation dot1Q 1305

ip address 172.16.11.15 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/1

description "ISP L3"

ip address xxx.xx.43.184 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

description description "ISP L3 2ND"

ip address xxx.xxx.223.48 255.255.255.0

duplex auto

speed 100

!

interface GigabitEthernet0/1/0

description "CUSTSID LAN"

switchport access vlan 10

no ip address

!

!

interface Vlan10

description "CUSTSID LAN"

ip address 192.168.143.1 255.255.255.0

ip ospf 10 area 1

!

router ospf 10

router-id 192.168.254.246

area 1 stub no-summary

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel0

no passive-interface Tunnel1

no passive-interface Tunnel2

no passive-interface Tunnel3

no passive-interface Vlan10

!

ip forward-protocol nd

!

3142
Views
0
Helpful
4
Comments