EIGRP Hold timer times out on 1 ISP - Are Hellos being blocked?

Hello Cisco Forum,

once again I come to ask for advice.

(We run EIGRP on a Hub&Spoke network with two ISPs providing a mixture of connections to around 30 spoke sites.

There are two central routers with IPSEC/GRE tunnels to all sites, one primary and one failover.

All the routing is configured with EIGRP Stub at the remote sites and there are route summaries on the tunnel interfaces to trim the route tables to a minimum.

This network is very simple. I have implemented as much consistency across the programming as possible.)

OK - so there is the outline of the network.

The main point is that all the connections are provided by one of two ISPs.

On an intermittent basis, perhaps once or twice a day at most, all the routes on lines provided by one ISP will drop simultaneously.

My syslogs just go mental. All the neighbourships across the tunnels drop and then come straight back up.

So my question is: does anyone have any experience of an ISP blocking or mis-directing EIGRP Hellos or multicasts generally within their Autonomous System BEFORE the packets get back to the end-user line?

Many thanks for your insights


EIGRP Hold timer times out on 1 ISP - Are Hellos being blocked?

Hi Paul,

I think it could be something wrong on that hub router, or the ISP router. Do you see packet drop if you continuously ping from spoke to hub tunnel endpoint?


Lei Tian

EIGRP Hold timer times out on 1 ISP - Are Hellos being blocked?

If it was packets dropping on one line, this wouldnt explain why almost 20 lines drop together.

If it was a fault on the Hub router, why would only the lines from one ISP drop together, and not the other ISP lines?

EIGRP Hold timer times out on 1 ISP - Are Hellos being blocked?


I can not tell from your description whether the connections through the ISP with a problem are almost 20 individual circuits or whether it is almost 20 connections aggregated into one larger pipe. Can you clarify this?

Your description indicates that there are two hub routers, one primary and one backup. Are you seeing the same loss of connectivity on both hubs? Or is it on one of them?

Also your description indicates that there are IPSec/GRE tunnels which carry the traffic. It would be helpful to know whether the IPSec tunnels stay up or whether the IPSec is re-negotiated after the EIGRP neighbors are lost and then recovered.

Also the fact that the EIGRP is carried in IPSec/GRE makes it very unlikely that the ISP is dropping or misdirecting just EIGRP hello packets because in the encrypted tunnel they can not distinguish what is in a packet. It is much more likely that they are dropping all packets. In that case the suggestion by Lei Tian of doing some kind of ping between the hub and one or two spokes has merit. Perhaps you could do a slow ping (maybe every 5 seconds) instead of a continuous rapid ping to a site or two over the problematic ISP and see if there is a pattern of packet loss there.



Re: EIGRP Hold timer times out on 1 ISP - Are Hellos being block

Hi Paul,

I assumed provider A connects to hub router A, provider B connects to hub router B. In that case problem on either hub router or the provider router could cause all spokes drop. Maybe my assumption was wrong.

Lei Tian

Re: EIGRP Hold timer times out on 1 ISP - Are Hellos being block

Hi guys,

thanks for your responses.

I have set up 5second pings on a random selection of the tunnels.

(I also managed to get a debug that said 'metric change' which might point to something else being involved. Im still investigating that.)

But to clarify the set up for you;

The primary and backup Hub Routers are on different ISPs. But all the Spoke sites connect to BOTH routers with a tunnel each.

The Remote site's connections are ADSL/Leased Line/SwitchedPPPoE etc but are with one of two ISPs (not the same as our local ones!)

So when the issue occurs, it is all the adjacencies on the tunnels for one of the REMOTE SITE ISPs (eg Sites 1 - 15), that show HoldTimerExpired - as if ISP 1 had just dropped for 15 seconds.

I will monitor these IP SLAs for packet loss and I am running some local debugs too. I will let you know if I get anything.

Thanks for your insights.


