I am currently working with a DMVPN connection between my office and our headquarters.

When the Hub router at headquarters goes down, I have to reboot my router or go in and shut the tunnel down and then no shut to get it to come back alive.

I know this is probably a lifetime command or sa command that it needs.

My question is what configuration is best for this.  When the tunnel goes down, I need it to begin trying to re-negotiate so that I do not have to reboot my router or issue the shut and no shut commands on the tunnel interface.
Who is Participating?
Garry GlendownConsulting and Network/Security SpecialistCommented:
Very unusual ... With DMVPN being just about the easiest way to set up a VPN on Cisco routers, I wonder what you got in the config that causes this ... could you past a sanitized excerpt of the config so we can take a look? Normally, the system should rapidly notice the connection having dropped and attempt to re-establish it ... do you maybe have a keepalive command in the tunnel config? This will not work!
considerscsAuthor Commented:
Sorry for the late response.

Here is a sanitized config.
Garry GlendownConsulting and Network/Security SpecialistCommented:
Wondering, what do you mean with "going down" as far as the hub router is concerned? Does the router crash, or does your internet connection drop? Can you still reach the router's external Internet IP, and if so, can you ping the tunnel IP? How does "show crypto isa sa" look in that situation? Is one (or both) phase 1 down? Can you try removing encryption temporarily and see whether the tunnel comes back up after a connection loss?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

considerscsAuthor Commented:
It is when the ISP goes down.  Thats the only time I have the issue.  If the spoke goes down, it reconnects just fine.
Garry GlendownConsulting and Network/Security SpecialistCommented:
In that situation, is the phase1 crypto still up on the spoke? What happens if you clear phase 1 on the spoke then?
considerscsAuthor Commented:
phase one is still up then.

If i clear it, then it will reconnect.

Could it be the holdtime of 60 that is causing it in the configuration on the spoke.
Garry GlendownConsulting and Network/Security SpecialistCommented:
I don't think so, I usually have a holdtime of 300 in my configs and haven't had a problem like that ...

interface Tunnel1
 ip address
 no ip redirects
 ip mtu 1440
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map multicast
 ip nhrp map
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs
 ip nhrp nhs
 ip tcp adjust-mss 1400
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 12345
 tunnel path-mtu-discovery
 tunnel protection ipsec profile dmvpn-profile

Open in new window

Garry GlendownConsulting and Network/Security SpecialistCommented:
It's not really a fix of the crypto problem, but if nothing else works, you could probably use ip sla tracking and a simple EEM script to clear the crypto tunnel and through that restore the service ...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.