Solved

Cisco DMVPN

Posted on 2013-10-31
8
611 Views
Last Modified: 2013-11-06
I am currently working with a DMVPN connection between my office and our headquarters.

When the Hub router at headquarters goes down, I have to reboot my router or go in and shut the tunnel down and then no shut to get it to come back alive.

I know this is probably a lifetime command or sa command that it needs.

My question is what configuration is best for this.  When the tunnel goes down, I need it to begin trying to re-negotiate so that I do not have to reboot my router or issue the shut and no shut commands on the tunnel interface.
0
Comment
Question by:considerscs
  • 5
  • 3
8 Comments
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 39616026
Very unusual ... With DMVPN being just about the easiest way to set up a VPN on Cisco routers, I wonder what you got in the config that causes this ... could you past a sanitized excerpt of the config so we can take a look? Normally, the system should rapidly notice the connection having dropped and attempt to re-establish it ... do you maybe have a keepalive command in the tunnel config? This will not work!
0
 
LVL 1

Author Comment

by:considerscs
ID: 39624287
Sorry for the late response.

Here is a sanitized config.
dmvpn-sanitized.txt
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39625100
Wondering, what do you mean with "going down" as far as the hub router is concerned? Does the router crash, or does your internet connection drop? Can you still reach the router's external Internet IP, and if so, can you ping the tunnel IP? How does "show crypto isa sa" look in that situation? Is one (or both) phase 1 down? Can you try removing encryption temporarily and see whether the tunnel comes back up after a connection loss?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:considerscs
ID: 39625110
It is when the ISP goes down.  Thats the only time I have the issue.  If the spoke goes down, it reconnects just fine.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39625139
In that situation, is the phase1 crypto still up on the spoke? What happens if you clear phase 1 on the spoke then?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39625143
phase one is still up then.

If i clear it, then it will reconnect.

Could it be the holdtime of 60 that is causing it in the configuration on the spoke.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39625161
I don't think so, I usually have a holdtime of 300 in my configs and haven't had a problem like that ...

interface Tunnel1
 ip address 172.20.1.13 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map multicast 9.9.9.9
 ip nhrp map 172.20.1.1 9.9.9.9
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 172.20.1.1
 ip nhrp nhs 172.20.1.2
 ip tcp adjust-mss 1400
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 12345
 tunnel path-mtu-discovery
 tunnel protection ipsec profile dmvpn-profile

Open in new window

0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39625167
It's not really a fix of the crypto problem, but if nothing else works, you could probably use ip sla tracking and a simple EEM script to clear the crypto tunnel and through that restore the service ...
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question