Douglas_Fagerstrom
asked on
DMVPN TUNNELS TIME OUT AFTER 2 HOURS, ONLY FIX TO RELOAD HUB.
Hello,
I have (3) 1800 Series Cisco ISR's. One local connected by DSL, other two units remote running on 1.2m Satellite provided by iDirect.
I have the DMVPN established and it works fine. After two hours (7200 seconds) the hub drops the spokes and the tunnels dissappear. The only remedy I have found is to reload the HUB router, after several minutes the tunnels come up and the system works correctly. I am able to browse the network neighborhood, etc.
Has anyone encountered this problem and what would be the proper fix. I have pasted the tunnel settings below from the HUB.
interface Tunnel0
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1300
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 6845126
ip virtual-reassembly max-reassemblies 64
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 85469874
tunnel protection ipsec profile SDM_Profile1
Any help would be much appreciated.
Thanks
I have (3) 1800 Series Cisco ISR's. One local connected by DSL, other two units remote running on 1.2m Satellite provided by iDirect.
I have the DMVPN established and it works fine. After two hours (7200 seconds) the hub drops the spokes and the tunnels dissappear. The only remedy I have found is to reload the HUB router, after several minutes the tunnels come up and the system works correctly. I am able to browse the network neighborhood, etc.
Has anyone encountered this problem and what would be the proper fix. I have pasted the tunnel settings below from the HUB.
interface Tunnel0
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1300
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 6845126
ip virtual-reassembly max-reassemblies 64
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 85469874
tunnel protection ipsec profile SDM_Profile1
Any help would be much appreciated.
Thanks
HI! Sir
So, 7200 seconds you said, right?
What do you think about this command:
ip nhrp holdtime xxx
I was checking over the documentation:
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html
"We recommend that a value from 300 to 600 seconds be used."
I have router with the value of 360.
Bye!
So, 7200 seconds you said, right?
What do you think about this command:
ip nhrp holdtime xxx
I was checking over the documentation:
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html
"We recommend that a value from 300 to 600 seconds be used."
I have router with the value of 360.
Bye!
ASKER
I have three types of entries:
is down: holding time expired
is up: new adjacency
is down: retry limit exceeded
is down: holding time expired
is up: new adjacency
is down: retry limit exceeded
ASKER
I'll try the nhrp adjustment and see what happens.
HI!
Yes, remember that the holdtime needs to match in every spoke and hub.
I mean, you need to add this command in the spokes too.
Somehow the tunnel is flapping or something...
aaah, I do not know what topology do you have, but also I think that you miss this command:
"no ip spit-horizon eigrp 101"
For what purpose you disable "ip redirects"?
Bye!
Yes, remember that the holdtime needs to match in every spoke and hub.
I mean, you need to add this command in the spokes too.
Somehow the tunnel is flapping or something...
aaah, I do not know what topology do you have, but also I think that you miss this command:
"no ip spit-horizon eigrp 101"
For what purpose you disable "ip redirects"?
Bye!
ASKER
I'll check the spokes tomorrow for the holdtime command.
I don't remember why I used IP redirects.
the no split horizin i think only goes on the spokes???
I don't remember why I used IP redirects.
the no split horizin i think only goes on the spokes???
Hi Douglas!
Well according to my DMVPN topology I do not have the command "no ip redirects"
and, well, as you already mention, sure you need to enable the no split horizon in the hub.
Actually I do not have any split horizon in the spokes. Maybe you are doing something different.
But it is a good question I going to check the documentation of DMVPN at cisco just to clear this.
Bye!
EE rules.
Well according to my DMVPN topology I do not have the command "no ip redirects"
and, well, as you already mention, sure you need to enable the no split horizon in the hub.
Actually I do not have any split horizon in the spokes. Maybe you are doing something different.
But it is a good question I going to check the documentation of DMVPN at cisco just to clear this.
Bye!
EE rules.
ASKER
After adding the ip NHRP holdtime line to the Tunnel0 on Spoke 1, I immediately check the VPN Status and noticed the Expiration Time went from normal 2 hours to only 10 min, which must mean the command works, but I am still not sure if the flapping will stop. I have also cleared all the logs and will monitor them for this stage and post any entries. As for the IP Redirects, not sure, it has been sometime since i last worked on this issue, IT is a secondary part of my work. I have included the spoke Tunnel Configs for reference to aid in this matter.
Hub Tunnel Configuration
interface Tunnel0
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1300
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 4312175
ip nhrp holdtime 600
ip virtual-reassembly max-reassemblies 64
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key *******
tunnel protection ipsec profile SDM_Profile1
SPOKE 1 Tunnel Configuration
interface Tunnel0
bandwidth 1000
ip address 192.168.100.3 255.255.255.0
no ip redirects
ip mtu 1450
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast 195.**.***.***
ip nhrp map 192.168.100.1 195.**.***.***
ip nhrp network-id 4312175
ip nhrp holdtime 600
ip nhrp nhs 192.168.100.1
ip nhrp nhs 192.168.100.4
ip nhrp nhs 192.168.100.5
ip nhrp nhs 192.168.100.2
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key *******
tunnel protection ipsec profile SDM_Profile1
I did not make the ip nhrp holdtime addition to spoke to to use it as a control to verify the tunnel stops flapping with command added.
Spoke 2 Tunnel Configuration
interface Tunnel0
bandwidth 1000
ip address 192.168.100.4 255.255.255.0
no ip redirects
ip mtu 1000
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast 195.**.***.***
ip nhrp map 192.168.100.1 195.**.***.***
ip nhrp network-id 4312175
ip nhrp nhs 192.168.100.1
ip nhrp nhs 192.168.100.3
ip nhrp nhs 192.168.100.2
ip nhrp nhs 192.168.100.5
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key *******
tunnel protection ipsec profile SDM_Profile1
THANK YOU ALL!
Hub Tunnel Configuration
interface Tunnel0
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1300
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 4312175
ip nhrp holdtime 600
ip virtual-reassembly max-reassemblies 64
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key *******
tunnel protection ipsec profile SDM_Profile1
SPOKE 1 Tunnel Configuration
interface Tunnel0
bandwidth 1000
ip address 192.168.100.3 255.255.255.0
no ip redirects
ip mtu 1450
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast 195.**.***.***
ip nhrp map 192.168.100.1 195.**.***.***
ip nhrp network-id 4312175
ip nhrp holdtime 600
ip nhrp nhs 192.168.100.1
ip nhrp nhs 192.168.100.4
ip nhrp nhs 192.168.100.5
ip nhrp nhs 192.168.100.2
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key *******
tunnel protection ipsec profile SDM_Profile1
I did not make the ip nhrp holdtime addition to spoke to to use it as a control to verify the tunnel stops flapping with command added.
Spoke 2 Tunnel Configuration
interface Tunnel0
bandwidth 1000
ip address 192.168.100.4 255.255.255.0
no ip redirects
ip mtu 1000
no ip next-hop-self eigrp 101
ip nhrp authentication AUCDMVPN
ip nhrp map multicast 195.**.***.***
ip nhrp map 192.168.100.1 195.**.***.***
ip nhrp network-id 4312175
ip nhrp nhs 192.168.100.1
ip nhrp nhs 192.168.100.3
ip nhrp nhs 192.168.100.2
ip nhrp nhs 192.168.100.5
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key *******
tunnel protection ipsec profile SDM_Profile1
THANK YOU ALL!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Same problem still occuring on both spokes.
Is it possible that since I don't have the spoke-to-spoke configurations completed this could be casuing the drops?
Is it possible that since I don't have the spoke-to-spoke configurations completed this could be casuing the drops?
Hi!
Douglas!
Well you know!, Troubleshooting is like test and probe.
mmmmm, maybe what you are saying is right, I mean:
In a DMVPN topology you only need to define a one "ip nhrp nhs"
In this case would be only ip nhrp nhs 192.168.100.1 for spoke.
So basically in the spoke you only need to have one, and this would be hub ip tunnel interface.
We are talking about one hub, dual hub is another story.
Also you can try with "no ip spit-horizon eigrp 101", but just in the HUB.
Remember that you only need to define in the EIGRP process the network behind the router and the network of the tunnel interface per device.
Thank you!
Bye!
Douglas!
Well you know!, Troubleshooting is like test and probe.
mmmmm, maybe what you are saying is right, I mean:
In a DMVPN topology you only need to define a one "ip nhrp nhs"
In this case would be only ip nhrp nhs 192.168.100.1 for spoke.
So basically in the spoke you only need to have one, and this would be hub ip tunnel interface.
We are talking about one hub, dual hub is another story.
Also you can try with "no ip spit-horizon eigrp 101", but just in the HUB.
Remember that you only need to define in the EIGRP process the network behind the router and the network of the tunnel interface per device.
Thank you!
Bye!
ASKER
Correct I understand the EIGRP at the bottom, but in order to have the spoke to spoke tunnels something is missing. Also, should have a backup hub server. I only have two spokes now but plan on having 6-10 as soon as i get this issue figured out.
You need to add the inter interface communication setting.i.e. same-security-traffic permit inter-interface
Hello!
Douglas!
You only need one "ip nhrp nhs" per spoke.
If you are planning to have a dual hub environment, so you will have two "ip nhrp nhs" pointing to the IP of the two hubs. You do not need to point to the other spokes.
Please check this site first:
http://www.scribd.com/doc/2205878/Introduction-to-DMVPN
Also be aware of bugs:
http://supportwiki.cisco.com/ViewWiki/index.php/In_a_dual-hub_dual-DMVPN_scenario_with_routers_running_Cisco_IOS_Software_Release_12.3,_a_spoke-to-spoke_tunnel_fails_to_come_up_over_a_secondary_tunnel_interface
Please yo can check an example in order to have dual enviroment:
http://www.gns3-labs.com/2008/07/09/topology-dual-dmvpn-dynamic-multipoint-vpn-over-frame-relay-using-eigrp/
Other information:
http://www.scribd.com/search?query=dmvpn&x=0&y=0
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html
Douglas!
You only need one "ip nhrp nhs" per spoke.
If you are planning to have a dual hub environment, so you will have two "ip nhrp nhs" pointing to the IP of the two hubs. You do not need to point to the other spokes.
Please check this site first:
http://www.scribd.com/doc/2205878/Introduction-to-DMVPN
Also be aware of bugs:
http://supportwiki.cisco.com/ViewWiki/index.php/In_a_dual-hub_dual-DMVPN_scenario_with_routers_running_Cisco_IOS_Software_Release_12.3,_a_spoke-to-spoke_tunnel_fails_to_come_up_over_a_secondary_tunnel_interface
Please yo can check an example in order to have dual enviroment:
http://www.gns3-labs.com/2008/07/09/topology-dual-dmvpn-dynamic-multipoint-vpn-over-frame-relay-using-eigrp/
Other information:
http://www.scribd.com/search?query=dmvpn&x=0&y=0
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html
*** Example of one of spoke with dual HUB:
------------------------------------------
interface Tunnel0
bandwidth 1000
ip address 10.0.0.11 255.255.255.0
ip mtu 1416
ip nhrp authentication test
ip nhrp map multicast 172.17.0.1
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.5
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
router ospf 1
network 10.0.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 1
*** One of the hubs in DUAL hub environment
-------------------------------------------
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1416
ip nhrp authentication test
ip nhrp map multicast dynamic
!This the info of the other HUB.
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp map multicast 172.17.0.5
ip nhrp network-id 100000
ip nhrp holdtime 360
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
router ospf 1
network 10.0.0.0 0.0.0.255 area 1
network 192.168.0.0 0.0.0.255 area 0
Double check the timeout (hard, idle timeout)?