Posted on 2013-10-31
Last Modified: 2013-11-06
I am currently working with a DMVPN connection between my office and our headquarters.

When the Hub router at headquarters goes down, I have to reboot my router or go in and shut the tunnel down and then no shut to get it to come back alive.

I know this is probably a lifetime command or sa command that it needs.

My question is what configuration is best for this.  When the tunnel goes down, I need it to begin trying to re-negotiate so that I do not have to reboot my router or issue the shut and no shut commands on the tunnel interface.
Question by:considerscs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 18

Accepted Solution

Garry Glendown earned 500 total points
ID: 39616026
Very unusual ... With DMVPN being just about the easiest way to set up a VPN on Cisco routers, I wonder what you got in the config that causes this ... could you past a sanitized excerpt of the config so we can take a look? Normally, the system should rapidly notice the connection having dropped and attempt to re-establish it ... do you maybe have a keepalive command in the tunnel config? This will not work!

Author Comment

ID: 39624287
Sorry for the late response.

Here is a sanitized config.
LVL 18

Expert Comment

by:Garry Glendown
ID: 39625100
Wondering, what do you mean with "going down" as far as the hub router is concerned? Does the router crash, or does your internet connection drop? Can you still reach the router's external Internet IP, and if so, can you ping the tunnel IP? How does "show crypto isa sa" look in that situation? Is one (or both) phase 1 down? Can you try removing encryption temporarily and see whether the tunnel comes back up after a connection loss?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39625110
It is when the ISP goes down.  Thats the only time I have the issue.  If the spoke goes down, it reconnects just fine.
LVL 18

Expert Comment

by:Garry Glendown
ID: 39625139
In that situation, is the phase1 crypto still up on the spoke? What happens if you clear phase 1 on the spoke then?

Author Comment

ID: 39625143
phase one is still up then.

If i clear it, then it will reconnect.

Could it be the holdtime of 60 that is causing it in the configuration on the spoke.
LVL 18

Expert Comment

by:Garry Glendown
ID: 39625161
I don't think so, I usually have a holdtime of 300 in my configs and haven't had a problem like that ...

interface Tunnel1
 ip address
 no ip redirects
 ip mtu 1440
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map multicast
 ip nhrp map
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs
 ip nhrp nhs
 ip tcp adjust-mss 1400
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 12345
 tunnel path-mtu-discovery
 tunnel protection ipsec profile dmvpn-profile

Open in new window

LVL 18

Expert Comment

by:Garry Glendown
ID: 39625167
It's not really a fix of the crypto problem, but if nothing else works, you could probably use ip sla tracking and a simple EEM script to clear the crypto tunnel and through that restore the service ...

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question