I am trying to implement a spoke failover into a DMVPN setup and it is taking an unacceptable 10 minutes. I am currently using a Cisco 2821 with an AIM VPN card as the hub router and Cisco 831s as the spoke routers.
Instead of using two ISP connections, I'm trying to get this working with a Peplink Balance WAN failover. Some of my end sites are way off in the boonies and will be using a wireless USB card as a backup ISP connection - something the Peplink supports. So far the Peplink is working the way it should: the main connection will failover to the secondary connection; the primary will take back over once it re-establishes itself.
The problem I'm having is with the DMVPN reconverging. Here's what I've tried and what I've noticed:
After the Peplink switches to a different provider, the spoke command, "show crypto session", shows that the IPsec tunnel will not relinquish to the new "Active" ISAKMP tunnel. These are on two different ports.
Interface: Tunnel1 Session status: DOWN Peer: 24.1xx.1x.1xx port 500 IPSEC FLOW: permit 47 host 192.168.2.2 host 220.127.116.11 Active SAs: 0, origin: crypto map
Interface: Tunnel1 Session status: UP-IDLE Peer: 18.104.22.168 port 4500 IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Active IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Inactive
This problem clears up after 10 minutes. This seems to correspond with the NHRP configuration. The expiration of an "ip nhrp detail" is also 10 minutes.This results in the following on the spoke:
Interface: Tunnel1 Session status: UP-ACTIVE Peer: 24.1xx.1x.1xx port 4500 IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Active IKE SA: local 192.168.2.2/4500 remote 24.1xx.1x.1xx/4500 Inactive IPSEC FLOW: permit 47 host 192.168.2.2 host 24.1xx.1x.1xx Active SAs: 2, origin: crypto map
I've tried the following modifications without any luck:
I changed the "ip nhrp registration no-unique"
I changed the "ip nhrp holdtime 15"
Right now we do not have an elegant solution for two diverse, non 3g / cellular, ISP connections or else I would upgrade to the 1841s and setup two tunnels to the hub.
I've been really impressed with the DMVPN technology, so I'm hoping there's I can design the functionality that I'm looking for. Any help that you can offer is greatly appreciated!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :