Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN dual HUB issue

Hi all, I hope you can help me

issue: Eigrp neighborship is flapping between DMVPN spoke and hub router, we have 2 hub router for redundancy.

The flapping is only with one tunnel (to US).

Main hubs:

US: 10.32.170.1

UK: 10.24.170.1

Spoke:

Tunnel1                    10.24.170.35    YES NVRAM  up                    up  to UK

Tunnel2                    10.32.170.35    YES NVRAM  up                    up  to US

the source in the spoke router is Ethernet1 in both tunnels

Spoke1#sh runn int tun1

Building configuration...

Current configuration : 405 bytes

!

interface Tunnel1

bandwidth 1000

ip address 10.24.170.35 255.255.255.0

ip mtu 1352

ip nhrp authentication donttell

ip nhrp map 10.24.170.1 216.40.52.7

ip nhrp network-id 169

ip nhrp holdtime 300

ip nhrp nhs 10.24.170.1

ip route-cache flow

ip tcp adjust-mss 1200

delay 1000

tunnel source Ethernet1

tunnel destination 216.40.52.7

tunnel key 100000

tunnel protection ipsec profile PRO

end

Spoke1#sh runn int tun2

Building configuration...

Current configuration : 406 bytes

!

interface Tunnel2

bandwidth 256

ip address 10.32.170.35 255.255.255.0

ip mtu 1352

ip nhrp authentication donttell

ip nhrp map 10.32.170.1 216.40.48.53

ip nhrp network-id 170

ip nhrp holdtime 300

ip nhrp nhs 10.32.170.1

ip route-cache flow

ip tcp adjust-mss 1200

delay 1500

tunnel source Ethernet1

tunnel destination 216.40.48.53

tunnel key 100001

tunnel protection ipsec profile PRO

end

log:

ep  5 21:19:26 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Sep  5 21:47:24 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is down: Peer goodbye received

Sep  5 21:47:24 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Sep  5 21:50:19 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is down: Peer goodbye received

Sep  5 21:50:19 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Sep  5 22:05:21 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is down: Peer goodbye received

Sep  5 22:05:21 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Sep  5 22:25:52 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is down: Peer goodbye received

Sep  5 22:25:52 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Sep  5 22:53:14 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is down: Peer goodbye received

Sep  5 22:53:14 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Sep  6 00:42:34 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is down: Peer goodbye received

Sep  6 00:42:37 Summer: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.170.1 (Tunnel2) is up: new adjacency

Only one tunnel is flapping:

Spoke1#      sh ip eigrp nei

IP-EIGRP neighbors for process 100

H  Address                Interface      Hold Uptime  SRTT  RTO  Q  Seq

                                            (sec)        (ms)      Cnt Num

2  10.32.170.1            Tu2              13 00:06:22  182  1092  0  5500897

1  10.24.170.1            Tu1              11 2d10h    161  966  0  3706579

0  10.24.166.4            Et0              11 28w2d      2  200  0  8137

----------------------------------------------------------------------------------------

In the Hub US we have this log:

Sep 5 18:11:21 EDT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=9079, sequence number=13538

Sep 5 18:12:58 EDT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=9079, sequence number=13950

Sep 5 18:15:09 EDT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=9079, sequence number=14701

Can somebody give me an advise?

Let me know if you need more information

Everyone's tags (3)
1 REPLY
New Member

DMVPN dual HUB issue

if you are using your spoke backup tunnel for redundancy only and no load sharing is required you can configure below and that should fix the issue for you.

To enable one tunnel interface to act as backup to other tunnel interface. You just specify the backup interface as second tunnel interface on primary interface and configure if-state nhrp on the primary tunnel interface. If that is done primary tunnel go down if registration with HUB fails and backup tunnel will come up

inter tu 1

if-state nhrp

backup interface tunnel2

inter tu2

if-state nhrp

863
Views
0
Helpful
1
Replies
CreatePlease login to create content