Solved

DMVPN TUNNELS TIME OUT AFTER 2 HOURS, ONLY FIX TO RELOAD HUB.

Posted on 2008-10-25
14
2,617 Views
Last Modified: 2012-05-05
Hello,

I have (3) 1800 Series Cisco ISR's.  One local connected by DSL, other two units remote running on 1.2m Satellite provided by iDirect.

I have the DMVPN established and it works fine.  After two hours (7200 seconds) the hub drops the spokes and the tunnels dissappear.  The only remedy I have found is to reload the HUB router, after several minutes the tunnels come up and the system works correctly.  I am able to browse the network neighborhood, etc.

Has anyone encountered this problem and what would be the proper fix.  I have pasted the tunnel settings below from the HUB.

interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 6845126
 ip virtual-reassembly max-reassemblies 64
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 85469874
 tunnel protection ipsec profile SDM_Profile1

Any help would be much appreciated.

Thanks
0
Comment
Question by:Douglas_Fagerstrom
  • 7
  • 5
  • 2
14 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 22803593
Do you have a log entry dealing with the drop?
Double check the timeout (hard, idle timeout)?
0
 
LVL 7

Expert Comment

by:geergon
ID: 22804223
HI! Sir

So, 7200 seconds you said, right?
What do you think about this command:
ip nhrp holdtime xxx

I was checking over the documentation:
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html

"We recommend that a value from 300 to 600 seconds be used."
I have router with the value of 360.

Bye!
0
 

Author Comment

by:Douglas_Fagerstrom
ID: 22804238
I have three types of entries:

is down: holding time expired

is up: new adjacency

is down: retry limit exceeded
0
 

Author Comment

by:Douglas_Fagerstrom
ID: 22804239
I'll try the nhrp adjustment and see what happens.
0
 
LVL 7

Expert Comment

by:geergon
ID: 22804559
HI!
Yes, remember that the holdtime needs to match in every spoke and hub.
I mean, you need to add this command in the spokes too.

Somehow the tunnel is flapping or something...
aaah, I do not know what topology do you have, but also I think that you miss this command:
"no ip spit-horizon eigrp 101"

For what purpose you disable "ip redirects"?

Bye!
 
0
 

Author Comment

by:Douglas_Fagerstrom
ID: 22804815
I'll check the spokes tomorrow for the holdtime command.

I don't remember why I used IP redirects.

the no split horizin i think only goes on the spokes???
0
 
LVL 7

Expert Comment

by:geergon
ID: 22804916
Hi Douglas!

Well according to my DMVPN topology I do not have the command "no ip redirects"
and, well, as you already mention, sure you need to enable the no split horizon in the hub.
Actually I do not have any split horizon in the spokes. Maybe you are doing something different.  
But it is a good question I going to check the documentation of DMVPN at cisco just to clear this.

Bye!
EE rules.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Douglas_Fagerstrom
ID: 22806560
After adding the ip NHRP holdtime line to the Tunnel0 on Spoke 1, I immediately check the VPN Status and noticed the Expiration Time went from normal 2 hours to only 10 min, which must mean the command works, but I am still not sure if the flapping will stop. I have also cleared all the logs and will monitor them for this stage and post any entries.  As for the IP Redirects, not sure, it has been sometime since i last worked on this issue, IT is a secondary part of my work.  I have included the spoke Tunnel Configs for reference to aid in this matter.

Hub Tunnel Configuration


interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 4312175
 ip nhrp holdtime 600
 ip virtual-reassembly max-reassemblies 64
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile SDM_Profile1

SPOKE 1 Tunnel Configuration


interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.3 255.255.255.0
 no ip redirects
 ip mtu 1450
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast 195.**.***.***
 ip nhrp map 192.168.100.1 195.**.***.***
 ip nhrp network-id 4312175
 ip nhrp holdtime 600
 ip nhrp nhs 192.168.100.1
 ip nhrp nhs 192.168.100.4
 ip nhrp nhs 192.168.100.5
 ip nhrp nhs 192.168.100.2
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile SDM_Profile1


I did not make the ip nhrp holdtime addition to spoke to to use it as a control to verify the tunnel stops flapping with command added.


Spoke 2 Tunnel Configuration


interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.4 255.255.255.0
 no ip redirects
 ip mtu 1000
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast 195.**.***.***
 ip nhrp map 192.168.100.1 195.**.***.***
 ip nhrp network-id 4312175
 ip nhrp nhs 192.168.100.1
 ip nhrp nhs 192.168.100.3
 ip nhrp nhs 192.168.100.2
 ip nhrp nhs 192.168.100.5
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile SDM_Profile1


THANK YOU ALL!
0
 

Accepted Solution

by:
Douglas_Fagerstrom earned 0 total points
ID: 22807935
The last post was around noon.  At about 4 the tunnels both collapsed and no IKE exchange or other attempts have happened.  Log entries are as follows:

15:23 Spoke 2  Interface Goodbye received
16:04 Spokes 1 & 2: holding time expired (two entries)

any more ideas?
0
 

Author Comment

by:Douglas_Fagerstrom
ID: 22829965
Same problem still occuring on both spokes.

Is it possible that since I don't have the spoke-to-spoke configurations completed this could be casuing the drops?
0
 
LVL 7

Expert Comment

by:geergon
ID: 22855400
Hi!
Douglas!

Well you know!, Troubleshooting is like test and probe.
mmmmm, maybe what you are saying is right, I mean:
In a DMVPN topology you only need to define a one "ip nhrp nhs"
In this case would be  only ip nhrp nhs 192.168.100.1 for spoke.
So basically in the spoke you only need to have one, and this would be hub ip tunnel interface.
We are talking about one hub, dual hub is another story.

Also you can try with "no ip spit-horizon eigrp 101", but just in the HUB.
Remember that you only need to define in the EIGRP process the network behind the router and the network of the tunnel interface per device.

Thank you!
Bye!
0
 

Author Comment

by:Douglas_Fagerstrom
ID: 22855764
Correct I understand the EIGRP at the bottom, but in order to have the spoke to spoke tunnels something is missing. Also, should have a backup hub server.  I only have two spokes now but plan on having 6-10 as soon as i get this issue figured out.
0
 
LVL 76

Expert Comment

by:arnold
ID: 22858288
You need to add the inter interface communication setting.i.e. same-security-traffic permit inter-interface
0
 
LVL 7

Expert Comment

by:geergon
ID: 22858496
Hello!
Douglas!

You only need one  "ip nhrp nhs" per spoke.
If you are planning to have a dual hub environment, so you will have two "ip nhrp nhs" pointing to the IP of the two hubs. You do not need to point to the other spokes.

Please check this site first:
http://www.scribd.com/doc/2205878/Introduction-to-DMVPN

Also be aware of bugs:
http://supportwiki.cisco.com/ViewWiki/index.php/In_a_dual-hub_dual-DMVPN_scenario_with_routers_running_Cisco_IOS_Software_Release_12.3,_a_spoke-to-spoke_tunnel_fails_to_come_up_over_a_secondary_tunnel_interface


Please yo can check an example in order to have dual enviroment:
http://www.gns3-labs.com/2008/07/09/topology-dual-dmvpn-dynamic-multipoint-vpn-over-frame-relay-using-eigrp/

Other information:
http://www.scribd.com/search?query=dmvpn&x=0&y=0
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html



*** Example of one of spoke with dual HUB:

------------------------------------------

interface Tunnel0

bandwidth 1000

ip address 10.0.0.11 255.255.255.0

ip mtu 1416

ip nhrp authentication test

ip nhrp map multicast 172.17.0.1

ip nhrp map 10.0.0.1 172.17.0.1

ip nhrp map multicast 172.17.0.5

ip nhrp map 10.0.0.2 172.17.0.5

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.0.0.1

ip nhrp nhs 10.0.0.2

ip ospf network broadcast

ip ospf priority 0

delay 1000

tunnel source Serial1/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile vpnprof

!

router ospf 1

network 10.0.0.0 0.0.0.255 area 1

network 192.168.1.0 0.0.0.255 area 1
 

*** One of the hubs in DUAL hub environment

-------------------------------------------

interface Tunnel0

bandwidth 1000

ip address 10.0.0.1 255.255.255.0

ip mtu 1416

ip nhrp authentication test

ip nhrp map multicast dynamic
 

!This the info of the other HUB.

ip nhrp map 10.0.0.2 172.17.0.5

ip nhrp map multicast 172.17.0.5
 

ip nhrp network-id 100000

ip nhrp holdtime 360

ip ospf network broadcast

ip ospf priority 2

delay 1000

tunnel source Serial1/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile vpnprof

!

router ospf 1

network 10.0.0.0 0.0.0.255 area 1

network 192.168.0.0 0.0.0.255 area 0

Open in new window

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now