Link to home
Start Free TrialLog in
Avatar of Douglas_Fagerstrom
Douglas_FagerstromFlag for Kuwait

asked on

DMVPN TUNNELS TIME OUT AFTER 2 HOURS, ONLY FIX TO RELOAD HUB.

Hello,

I have (3) 1800 Series Cisco ISR's.  One local connected by DSL, other two units remote running on 1.2m Satellite provided by iDirect.

I have the DMVPN established and it works fine.  After two hours (7200 seconds) the hub drops the spokes and the tunnels dissappear.  The only remedy I have found is to reload the HUB router, after several minutes the tunnels come up and the system works correctly.  I am able to browse the network neighborhood, etc.

Has anyone encountered this problem and what would be the proper fix.  I have pasted the tunnel settings below from the HUB.

interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 6845126
 ip virtual-reassembly max-reassemblies 64
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 85469874
 tunnel protection ipsec profile SDM_Profile1

Any help would be much appreciated.

Thanks
Avatar of arnold
arnold
Flag of United States of America image

Do you have a log entry dealing with the drop?
Double check the timeout (hard, idle timeout)?
HI! Sir

So, 7200 seconds you said, right?
What do you think about this command:
ip nhrp holdtime xxx

I was checking over the documentation:
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html

"We recommend that a value from 300 to 600 seconds be used."
I have router with the value of 360.

Bye!
Avatar of Douglas_Fagerstrom

ASKER

I have three types of entries:

is down: holding time expired

is up: new adjacency

is down: retry limit exceeded
I'll try the nhrp adjustment and see what happens.
HI!
Yes, remember that the holdtime needs to match in every spoke and hub.
I mean, you need to add this command in the spokes too.

Somehow the tunnel is flapping or something...
aaah, I do not know what topology do you have, but also I think that you miss this command:
"no ip spit-horizon eigrp 101"

For what purpose you disable "ip redirects"?

Bye!
 
I'll check the spokes tomorrow for the holdtime command.

I don't remember why I used IP redirects.

the no split horizin i think only goes on the spokes???
Hi Douglas!

Well according to my DMVPN topology I do not have the command "no ip redirects"
and, well, as you already mention, sure you need to enable the no split horizon in the hub.
Actually I do not have any split horizon in the spokes. Maybe you are doing something different.  
But it is a good question I going to check the documentation of DMVPN at cisco just to clear this.

Bye!
EE rules.
After adding the ip NHRP holdtime line to the Tunnel0 on Spoke 1, I immediately check the VPN Status and noticed the Expiration Time went from normal 2 hours to only 10 min, which must mean the command works, but I am still not sure if the flapping will stop. I have also cleared all the logs and will monitor them for this stage and post any entries.  As for the IP Redirects, not sure, it has been sometime since i last worked on this issue, IT is a secondary part of my work.  I have included the spoke Tunnel Configs for reference to aid in this matter.

Hub Tunnel Configuration


interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1300
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 4312175
 ip nhrp holdtime 600
 ip virtual-reassembly max-reassemblies 64
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile SDM_Profile1

SPOKE 1 Tunnel Configuration


interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.3 255.255.255.0
 no ip redirects
 ip mtu 1450
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast 195.**.***.***
 ip nhrp map 192.168.100.1 195.**.***.***
 ip nhrp network-id 4312175
 ip nhrp holdtime 600
 ip nhrp nhs 192.168.100.1
 ip nhrp nhs 192.168.100.4
 ip nhrp nhs 192.168.100.5
 ip nhrp nhs 192.168.100.2
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile SDM_Profile1


I did not make the ip nhrp holdtime addition to spoke to to use it as a control to verify the tunnel stops flapping with command added.


Spoke 2 Tunnel Configuration


interface Tunnel0
 bandwidth 1000
 ip address 192.168.100.4 255.255.255.0
 no ip redirects
 ip mtu 1000
 no ip next-hop-self eigrp 101
 ip nhrp authentication AUCDMVPN
 ip nhrp map multicast 195.**.***.***
 ip nhrp map 192.168.100.1 195.**.***.***
 ip nhrp network-id 4312175
 ip nhrp nhs 192.168.100.1
 ip nhrp nhs 192.168.100.3
 ip nhrp nhs 192.168.100.2
 ip nhrp nhs 192.168.100.5
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile SDM_Profile1


THANK YOU ALL!
ASKER CERTIFIED SOLUTION
Avatar of Douglas_Fagerstrom
Douglas_Fagerstrom
Flag of Kuwait image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Same problem still occuring on both spokes.

Is it possible that since I don't have the spoke-to-spoke configurations completed this could be casuing the drops?
Hi!
Douglas!

Well you know!, Troubleshooting is like test and probe.
mmmmm, maybe what you are saying is right, I mean:
In a DMVPN topology you only need to define a one "ip nhrp nhs"
In this case would be  only ip nhrp nhs 192.168.100.1 for spoke.
So basically in the spoke you only need to have one, and this would be hub ip tunnel interface.
We are talking about one hub, dual hub is another story.

Also you can try with "no ip spit-horizon eigrp 101", but just in the HUB.
Remember that you only need to define in the EIGRP process the network behind the router and the network of the tunnel interface per device.

Thank you!
Bye!
Correct I understand the EIGRP at the bottom, but in order to have the spoke to spoke tunnels something is missing. Also, should have a backup hub server.  I only have two spokes now but plan on having 6-10 as soon as i get this issue figured out.
You need to add the inter interface communication setting.i.e. same-security-traffic permit inter-interface
Hello!
Douglas!

You only need one  "ip nhrp nhs" per spoke.
If you are planning to have a dual hub environment, so you will have two "ip nhrp nhs" pointing to the IP of the two hubs. You do not need to point to the other spokes.

Please check this site first:
http://www.scribd.com/doc/2205878/Introduction-to-DMVPN 

Also be aware of bugs:
http://supportwiki.cisco.com/ViewWiki/index.php/In_a_dual-hub_dual-DMVPN_scenario_with_routers_running_Cisco_IOS_Software_Release_12.3,_a_spoke-to-spoke_tunnel_fails_to_come_up_over_a_secondary_tunnel_interface


Please yo can check an example in order to have dual enviroment:
http://www.gns3-labs.com/2008/07/09/topology-dual-dmvpn-dynamic-multipoint-vpn-over-frame-relay-using-eigrp/

Other information:
http://www.scribd.com/search?query=dmvpn&x=0&y=0
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html



*** Example of one of spoke with dual HUB:
------------------------------------------
interface Tunnel0
bandwidth 1000
ip address 10.0.0.11 255.255.255.0
ip mtu 1416
ip nhrp authentication test
ip nhrp map multicast 172.17.0.1
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.5
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
router ospf 1
network 10.0.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 1
 
*** One of the hubs in DUAL hub environment
-------------------------------------------
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1416
ip nhrp authentication test
ip nhrp map multicast dynamic
 
!This the info of the other HUB.
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp map multicast 172.17.0.5
 
ip nhrp network-id 100000
ip nhrp holdtime 360
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
router ospf 1
network 10.0.0.0 0.0.0.255 area 1
network 192.168.0.0 0.0.0.255 area 0

Open in new window