[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1526
  • Last Modified:

GRE tunnel keeps dropping cisco 877s to 877w using NHRP (DMVPN design)

Hi all,

i dont know how long this as been going on but today its been happeing quite alot, the tunnel comes back up eventually

the only message i have is
000109: *Jul 11 03:49:39.759: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.100.1 (Tunnel4) is down: holding time expired
CWPD#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
000110: *Jul 11 03:51:27.943: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.100.1 (Tunnel4) is up: new adjacency
CWPD#

my configs for the tunnels below

no idea why its happening at all, can anyone shed any light?

thanks
############# 877w NHRP server ################
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_SET 

interface Tunnel1
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication xxxxxxxxxxxxxxxxxxxxxxxxxx
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile DMVPN

################ 1 of 3 NHRP clients 877s ##############
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_SET 

interface Tunnel4
 ip address 192.168.100.4 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication xxxxxxxxxxxxxxxxxxx
 ip nhrp map 192.168.100.1 7x.xxx.xxx.xxx
 ip nhrp map multicast 7x.xxx.xxx.xxx
 ip nhrp network-id 100
 ip nhrp holdtime 450
 ip nhrp nhs 192.168.100.1
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel destination 77.xxx.xxx.xx
 tunnel key 100
 tunnel protection ipsec profile DMVPN

Open in new window

0
awilderbeast
Asked:
awilderbeast
  • 4
  • 2
1 Solution
 
arminelCommented:
Well, afaik a tunnel goes down if:

1.the route to the tunnel destination dissapears for some reasons ( maybe u're learining it from another routing protocol and he's to blame )
2.the interface that anchors the tunnel is flapping

Check this at your endpoint.
0
 
awilderbeastAuthor Commented:
where using eigrp across the tunnel, i pinged the tunnel endpoint and regardless of eigrp i should be able to do that yes?
im on 192.168.100.4 pinging 192.168.100.1 so no prbs there

so my dialer interface could be flapping? problem with ISP?

i rebooted it and its much more stable now, no drops at all
0
 
arminelCommented:
That ping will fail eventually when the tunnel goes down.

When your tunnel goes down the first thing I would check would be a ping to the tunnel destination ( 70.xx.xx.xx ). And yes, it's possible your dialer might be flapping and if it's true, you will lose the route to 70.xx.xx.xx if you've learned it via a routing protocol from isp.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
netnounoursCommented:
If you want the 877 to communicate directly (spoke-to-spoke), I suggest that you change "tunnel destination 77.xxx.xxx.xx" in the tunnel 4 interface to "tunnel mode gre multipoint" on the 877.

Also, the virtual-template is not needed for dmvpn.





0
 
awilderbeastAuthor Commented:
if it happens again i will try pinging the external address

i like hub and spoke

also just another question
how many wireless connections can a 877w handle, im planning on using an access point in an adjecent office that will service about 15 machines/printers etc

then foward them all to the 77 which acurrently has around 4-6 devices connected to it, will it be ok to handle?

also i am planning on hosting a websserver beind the same 877w will that be ok to handle around 500 visits a day?

thanks
0
 
awilderbeastAuthor Commented:
ok i contacted my isp, they want me to chagne the microfilter, but the line test is fine.

if the microfilter change fails, could my 877 be developing a fault?
0
 
awilderbeastAuthor Commented:
Turned out it wasn't my main router it was the router from the office I was at, had a crypto error wheni mnitored it turned out as a bug in the ios so I upgraded ios and it has t done it since
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now