Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
2
Helpful
8
Replies

DMVPN: Too many spoke to spoke tunnels created!

lap
Level 2
Level 2

‎11-17-2011 03:31 AM - edited ‎02-21-2020 05:42 PM

Hi all,

We have a customer wiht a DMVPN network phase 2. There are around 40 spokes. What I can see on all the spokes is between 10 and 15 IPsec spoke to spoke tunnels which is really strange as most of the spoke locations should only have between 1 to 4 spoke to spoke tunnels maximum.

My question is what could cause the spoke routers to create an IPsec spoke to spoke tunnel? Some weired applications?

IOS version: 12.4(15)T11 Platform: Cisco 1812.

Best regards,

Laurent

Labels:
0 Helpful
8 Replies 8

ajay chauhan
Level 7
Level 7

‎11-17-2011 04:44 AM

Its all depend on traffic between spoke to spoke and DMVPN is ment for that only ,if there will be interesting traffic Ipsec tunnel will be formed.

0 Helpful

lap
Level 2
Level 2
In response to ajay chauhan

‎11-17-2011 04:49 AM

Hi,

But there may be an apllication that trigger this Spoke to spoke tunnels?

I cannot in the inspect sessions the IP of the destination spokes. So it looks it is a quick trigger, then inspect session time ud og IPsec SAs stayded for the defaut life time.

Regards,

Laurent

0 Helpful

ajay chauhan
Level 7
Level 7
In response to lap

‎11-17-2011 04:52 AM

You can also verify with " show crypto ipsec sa " if the traffic is passing over tunnel.

0 Helpful

lap
Level 2
Level 2
In response to ajay chauhan

‎11-17-2011 04:54 AM

Most the Spoke Spoke tunnels haven't any packets encrypted.

Regards,

Laurent

0 Helpful

ajay chauhan
Level 7
Level 7
In response to lap

‎11-17-2011 05:02 AM

Then tunnels will teardown after sometime should not be issue .

0 Helpful

lap
Level 2
Level 2
In response to ajay chauhan

‎11-17-2011 06:06 AM

Does the SAs cosume any ressource on the router?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to lap

‎11-17-2011 06:09 AM

Actual resources are consumed when encryption/decryption is there for traffic and performamce  depends upon the hardware you using.

lap
Level 2
Level 2
In response to ajay chauhan

‎11-17-2011 06:20 AM

Thanks a lot!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents