Cisco DMVPN Spoke ISP Redundancy

Hi Dears,
I want to configure DMVPN on cisco routers. I want to configure dual ISP at spoke's. ADSL link is primary and 3g is backup and configure dmvpn.
How i configure in HUB and Spoke sites? I want to use Eigrp protocol.

Hi Teymur,
You can configure a single tunnel interface on the spoke, primary hub and the secondary hub for dual hub and dual isp on spoke.
Use EEM script for failover between your ISP connections and can configure both hubs on the same tunnel interface.
Introduce delay on the secondary hub tunnel interface so that it is less preferred.
Spoke Tunnel configuration :
interface Tunnel0
bandwidth 1000
ip address 10.10.0.12 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.10.0.1 172.16.1.1
ip nhrp map 10.10.0.2 172.16.1.2
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.10.0.1 <---- Primary Hub
ip nhrp nhs 10.10.0.2 <---- Secondary Hub
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
Primary Hub
interface Tunnel0
ip address 10.10.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
Secondary Hub
interface Tunnel0
ip address 10.10.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
delay 1500 <--- Increase the delay so that the routes learnt from this is less prefered
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
For Dual ISP failover on Spoke :
Configure tracking with IP SLA monitor. Then use EEM script to change the source and route of the tunnel when the track fails.
If Ethernet0/0 is the primary WAN interface and Ethernet0/1 is the backup then you can use the below template.
track 1 ip sla 1 reachability
ip sla 1
icmp-echo <Primary Next-hop IP> source-interface Ethernet0/0
threshold 3000
timeout 3000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla responder
event manager applet Failto-secondary-tunnel
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "shut"
action 1.4 cli command "tunnel source Ethernet0/1"
action 1.5 cli command "no shut"
action 1.6 cli command "exit"
action 1.7 cli command "ip route 0.0.0.0 0.0.0.0 <backup next-hop ip>"
action 1.8 cli command "ip route 0.0.0.0 0.0.0.0 <Primary next-hop ip> 10"
action 1.9 cli command "end"
event manager applet Comeback-primary-tunnel
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "shut"
action 1.4 cli command "tunnel source Ethernet0/0"
action 1.5 cli command "no shut"
action 1.6 cli command "exit"
action 1.7 cli command "ip route 0.0.0.0 0.0.0.0 <Primary next-hop ip>"
action 1.8 cli command "ip route 0.0.0.0 0.0.0.0 backup next-hop ip> 10"
action 1.9 cli command "end"
Hope that helps

Similar Messages

Distribute list on DMVPN spoke

Hi,
I would need to apply a distribute list on a DMVPN spoke and not sure if that DL needs to be applied at the tunnel interface or the physical interface where the tunnel is sourced. Please let me know if you have any thoughts.
This is how the configuration looks at other branches that do not have DMVPN configured:
access-list 1 deny 0.0.0.0
access-list 1 permit any
access-list 2 permit 0.0.0.0
access-list 2 deny any
router eigrp 1
distribute-list 2 in FastEthernet0/0
distribute-list 1 out FastEthernet0/0
Thanks,

If you want to control your routing between the spoke and the hub, you have to apply it for the tunnel-interface. Or more general: With the interface that is enabled for the routing-protocol.
And you should look at the prefix-lists instead of distribute-lists. They are much more flexible once you get used to them.
http://www.cisco.com/en/US/partner/tech/tk365/technologies_q_and_a_item09186a008012dac4.shtml#fourteen
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

VPN server on 871 already functioning as DMVPN spoke?

Last week I was sitting in an hotel far away from my family. I wanted to use Skype or MSNMessenger to contact them with Webcam. It didn't work, because there was some huge firewall, blocking several ports. So I decided to setup a VPN server @home, so I could access to everything I wanted, and not be blocked by the firewall of an islamic state... :-)
My 871w @home is functioning as a DMVPN spoke which works well.
Is it possible to contact my router from far away, and then be able to access the internet and my home-lan?
If someone can point me to a (simple :-) config, I will be very thankful...

Try these links:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml
http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd803e7ee9.shtml

MPLS BGP routes push to DMVPN spokes

I have an MPLS with BGP. I also have sites that are not connected directly to the MPLS, but have a s2s VPN to hub sites that are connected to the MPLS and that way they access the MPLS resources. I need to communicate the route changes to the MPLS when the DMVPN fails-over to another hub.
Currently this is my config:
Datacenter (MPLS only)
interface GigabitEthernet0/1
description MPLS
ip address 192.168.0.34 255.255.255.252
interface Vlan2
ip address 192.168.96.2 255.255.255.0
router bgp 65511
bgp log-neighbor-changes
network 192.168.96.0
neighbor 192.168.0.33 remote-as 65510
Hub site 1 (MPLS + internet)
interface Tunnel200
ip address 10.99.99.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication auth
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile dmvpn
interface GigabitEthernet0/1
description MPLS
ip address 192.168.1.2 255.255.255.0 secondary
ip address 192.168.0.2 255.255.255.252
router bgp 65001
bgp log-neighbor-changes
network 192.168.1.0
network 192.168.21.0
!10.99 clients are DMVPN spokes
neighbor 10.99.99.3 remote-as 99010
neighbor 10.99.99.3 route-reflector-client
neighbor 10.99.99.21 remote-as 99001
neighbor 10.99.99.21 route-reflector-client
!as 65000 is the MPLS PE
neighbor 192.168.0.1 remote-as 65000
Hub Site 2, has the same configuration, except for local ip address and router BGP ID.
Spoke site:
interface Tunnel200
ip address 10.99.99.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication auth
ip nhrp map 10.99.99.1 PUBLIC_IP_HUB_1
ip nhrp map 10.99.99.16 PUBLIC_IP_HUB_2
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp nhs 10.99.99.1 priority 1
ip nhrp nhs 10.99.99.16 priority 5
ip nhrp nhs fallback 60
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile dmvpn
interface GigabitEthernet0/1
description Internal
ip address 192.168.3.1 255.255.255.192
router bgp 99010
bgp log-neighbor-changes
network 192.168.3.0
neighbor 10.99.99.1 remote-as 65001
neighbor 10.99.99.16 remote-as 65013
On this spoke site
#sh ip route
B 192.168.1.0/24 [20/0] via 10.99.99.1, 00:47:01
which is the HUB network, but the rest of the MPLS routes are not "learned".
What am I missing?
Thanks!

Hi Jon, I've ommited the configuration of the MPLS provider routers in between. The DC is connected to a router that has the AS 65510.
DC:CPE---PE:{MPLS}PE---CPE:HUB---{internet}---Spoke
The DC is ok getting the network information via BGP:
#sh ip route
B 192.168.3.0/24 [20/0] via 192.168.0.33, 3d05h
B 192.168.21.0/24 [20/0] via 192.168.0.33, 3d05h
#sh ip bgp 192.168.21.0
BGP routing table entry for 192.168.21.0/24, version 559
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
65510 3549 6140 3549 65000
192.168.0.33 from 192.168.0.33 (###.###.###.###)
Origin IGP, localpref 100, valid, external, best
#sh ip route 192.168.21.0
Routing entry for 192.168.21.0/24
Known via "bgp 65511", distance 20, metric 0
Tag 65510, type external
Last update from 192.168.0.33 3d05h ago
Routing Descriptor Blocks:
* 192.168.0.33, from 192.168.0.33, 3d05h ago
Route metric is 0, traffic share count is 1
AS Hops 5
Route tag 65510
MPLS label: none
Spoke:
#sh ip bgp
BGP table version is 494, local router ID is 192.168.21.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.129.32/27 10.99.99.16 0 65013 65012 3549 ?
*> 192.168.96.0 10.99.99.16 0 65013 65012 3549 6745 65510 ?
#sh ip route 192.168.96.0
Routing entry for 192.168.96.0/24
Known via "bgp 99001", distance 20, metric 0
Tag 65013, type external
Last update from 10.99.99.16 00:02:11 ago
Routing Descriptor Blocks:
* 10.99.99.16, from 10.99.99.16, 00:02:11 ago
Route metric is 0, traffic share count is 1
AS Hops 5
Route tag 65013
MPLS label: none
#sh ip bgp 192.168.96.0
BGP routing table entry for 192.168.96.0/24, version 465
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 2
65013 65012 3549 6745 65510
10.99.99.16 from 10.99.99.16 (10.2.16.1)
Origin incomplete, localpref 100, valid, external, best
The route is not being updated to the rest of the routers, and the 192.168.21.0 network is still announced via the old route.
(from spoke)
ping 192.168.96.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.96.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
From DC
#traceroute 192.168.21.1
Type escape sequence to abort.
Tracing the route to 192.168.21.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.0.33 [AS 65510] 0 msec 0 msec 0 msec
2 172.50.1.33 [AS 65510] 56 msec 36 msec 36 msec
3 10.80.1.1 [AS 3549] 44 msec 44 msec 44 msec
4 10.80.1.2 [AS 3549] 172 msec 172 msec 168 msec
5 172.50.1.1 [AS 3549] 168 msec 168 msec 172 msec
6 172.50.1.2 [AS 3549] 180 msec 180 msec 176 msec
7 192.168.0.2 [AS 65000] 172 msec 172 msec 168 msec <- old route, should be 192.168.0.9
8 192.168.0.2 [AS 65000] !H * !H

ISP Redundancy no work

Hello, I have TMG Array(NLB) with 4 servers, I try configure ISP Redundancy(load balancing): add second network adapter for my vitrual servers, configure using article
http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html but my balance is not an array or a general or throwing packets at random. Perhaps the problem in the routing table Windows 2008 R2. On all
servers in the table are two routes
0.0.0.0 0.0.0.0 IP_ISP1 metric 2
0.0.0.0 0.0.0.0 IP_ISP2 metric 3
Help please, why does not work balancing?

Hi,
Thank you for the update.
“Your answer only applies to published applications? I have not balanced outbound.” - ISP Redundancy is used to balance outbound traffic between two links. NLB is used to load balance inbound traffic across the TMG array. And
for configure ISP-R, you may read the following articles:
http://blogs.technet.com/b/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx
http://blogs.technet.com/b/isablog/archive/2009/10/14/the-isp-redundancy-feature-of-forefront-tmg.aspx
Regards,
Nick Gu - MSFT

ISP redundancy and reverse proxy

Greetings, community!
We have two EDGE TMG servers and two INTERNAL TMG servers.
We have two providers with two dedicated external IP addresses each.
I configure ISP Redundancy for each EDGE TMG servers with parameters:
Each EDGE TMG server has two External NIC and one Internal NIC.
EDGE 1: Provider1_IP1 and Provider2_IP1
EDGE 2: Provider1_IP2 and Provider2_IP2
ISP Connections:
Provider1 and Provider2
So, the trouble:
We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
Also we made 4 external DNS records for each Web-Service.
For example:
mail.domain.com Provider1_IP1
mail.domain.com Provider1_IP2
mail.domain.com Provider2_IP1
mail.domain.com Provider2_IP2
If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

So, I still try to solve my problem...
When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:
LOGS on DMZ server (EDGE1):
Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Publish TMGBE HTTP
Source: External (77.73.111.194:3427)
Destination: Internal (172.16.0.100:80)
Protocol: HTTP Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 21000ms Original Client IP: 77.73.111.194
LOGS on INTERNAL server:
Initiated Connection BLK-TMG-02 21.07.2014 11:27:20
Log type: Firewall service
Status: The operation completed successfully.
Source: External (77.73.111.194:3427)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
Closed Connection BLK-TMG-02 21.07.2014 11:27:40
Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent an RST packet.
Source: External (77.73.111.194:3427)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 304 Number of bytes received: 192
Processing time: 20281ms Original Client IP: 77.73.111.194
When I try to connect my EDGE2 server external IP addresses, then:
LOGS on DMZ server (EDGE2):
Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17
Log type: Firewall service
Status: The operation completed successfully.
Rule: Publish TMGBE HTTP
Source: External (77.73.111.194:3429)
Destination: Internal (172.16.0.100:80)
Protocol: HTTP Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
Closed Connection DMZ-TMG-02 21.07.2014 11:57:17
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: Publish TMGBE HTTP
Source: External (77.73.111.194:3429)
Destination: Internal (172.16.0.100:80)
Protocol: HTTP Server
Additional information
Number of bytes sent: 534 Number of bytes received: 146
Processing time: 203ms Original Client IP: 77.73.111.194
Then traffic was redirected to HTTPS:
Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17
Log type: Firewall service
Status: The operation completed successfully.
Rule: Publish TMGBE HTTPS
Source: External (77.73.111.194:3430)
Destination: Internal (172.16.0.100:443)
Protocol: HTTPS Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
LOGS on INTERNAL server:
Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17
Log type: Web Proxy (Reverse)
Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.
Rule: Publish OWA
Source: External (77.73.111.194:3429)
Destination: Local Host (172.16.0.100:80)
Request: GET http://mail.domain.com/
Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type:
It's OK, because IIS require SSL. Then:
Initiated Connection BLK-TMG-02 21.07.2014 11:57:18
Log type: Firewall service
Status: The operation completed successfully.
Source: External (77.73.111.194:3429)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
Closed Connection BLK-TMG-02 21.07.2014 11:57:18
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Source: External (77.73.111.194:3429)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 786 Number of bytes received: 318
Processing time: 15ms Original Client IP: 77.73.111.194
And HTTPS:
Allowed Connection BLK-TMG-02 21.07.2014 11:57:17
Log type: Web Proxy (Reverse)
Status: 302 Moved Temporarily
Rule: Publish OWA
Source: External (77.73.111.194:3430)
Destination: Local Host (10.1.200.129:443)
Request: GET http://mail.domain.com/
Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40000000 (Response should not be cached.)
Processing time: 1 MIME type: text/html; charset=UTF-8
I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1.

ForeFront TMG ISP Redundancy - Lost of internet connectivity

I set up ISP redundancy on Forefront TMG that has my exchange 2010 server published through it. If both external NICs are enabled, I lose internet connectivity. If either NICs are enabled, and the other disabled, I get internet connectivity. Any ideas?

Hi,
Based on my knowledge, it may be caused by path mismatch.
Simply to say, dns request goes in through the ISP1 and dns reply goes out through ISP2.
However, we still need you to verify this, you can capture the packets on remote users to see if the destination IP in dns request and the source IP in dns reply are the same.
Please also check the TMG live logging to see if there is any error information.
Best Regards
Quan Gu

DMVPN Dual ISPs with EIGRP

Hi expert,
I am facing a eigrp routing issues , Has anyone kindly assist...
The topology as below, each router only has two tunnels and run in same eigrp AS
Here is my question in red with underline :
R2: sh ip ro
D 192.168.30.0/24 [90/310172416] via 192.168.1.1, 01:08:05, Tunnel1
[90/310172416] via 192.168.0.3, 01:08:05, Tunnel0
R3: sh ip ro
D 192.168.20.0/24 [90/310172416] via 192.168.1.1, 01:12:25, Tunnel1
[90/310172416] via 192.168.0.2, 01:12:25, Tunnel0
The result see above is not my expect , as i understand :
at R2 192.168.30.0 learn from Tunnel1 should be via192.168.1.3 not red one
at R3 192.168.20.0 learn from Tunnel1 should be via 192.168.1.2 not red one
because of via 192.168.1.1 , that's mean the traffic must through R1 (spoke to HUB) not Spoke to Spoke , am i right ?
I hope the route between R2 and R3 can always use spoke to spoke tunnel
I also checked nhrp and ipsec status , anything looks work properly except the eigrp route i mention above.
Here is configuration:
R1:
interface Loopback0
ip address 192.168.10.254 255.255.255.0
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip accounting output-packets
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.10.0
no auto-summary
R2:
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.20.0
no auto-summary
R3
interface Loopback0
ip address 192.168.30.254 255.255.255.0
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.3 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.30.0

Hi AllertGen ,
Each each router's tunnel0 and tunnel1 are work well , they all can ping each other ip as well via tunnel 0 and tunnel 1 (192.168.0.0/24 & 192.168.1.0/24)
and also at each router has two physical interface connect to different ISP.
In this topology ,my purpose is when spoke to spoke , they will has two routes via two NHRP cloulds , i keep the same eigrp priority at each router just for equal cost load sharing ,the more important thing is the next hop IP.
Actually , The ipsec function is not my concern so far, i just try your suggestion add the "shared" at the end of the line , its still has same result , but as i understand , if there is any wrong with ipsec profile, the tunnel won't work well , am i right ?
Thanks for your kind assist
Here is some show result at each router , hope that's helpful.
R1
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.15.2 YES NVRAM up up
FastEthernet0/1 172.17.15.2 YES NVRAM up up
Loopback0 192.168.10.254 YES NVRAM up up
Tunnel0 192.168.0.1 YES NVRAM up up
Tunnel1 192.168.1.1 YES NVRAM up up
R1#sh dmvpn
Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.25.2 192.168.0.2 UP never D
1 172.16.35.2 192.168.0.3 UP never D
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.25.2 192.168.1.2 UP never D
1 172.17.35.2 192.168.1.3 UP never D
R1#sh ip eigrp top
P 192.168.10.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 297372416
via 192.168.0.3 (297372416/128256), Tunnel0
via 192.168.1.3 (297372416/128256), Tunnel1
P 192.168.20.0/24, 2 successors, FD is 297372416
via 192.168.0.2 (297372416/128256), Tunnel0
via 192.168.1.2 (297372416/128256), Tunnel1
R1#sh ip nhrp
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 20:53:39, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.25.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 20:53:38, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.35.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 4d17h, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.25.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 4d17h, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.35.2
R2
R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.25.2 YES NVRAM up up
FastEthernet0/1 172.17.25.2 YES NVRAM up up
Loopback0 192.168.20.254 YES NVRAM up up
Tunnel0 192.168.0.2 YES NVRAM up up
Tunnel1 192.168.1.2 YES NVRAM up up
R2#sh dmvpn
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.15.2 192.168.0.1 UP 4d17h S
1 172.16.35.2 192.168.0.3 UP never D
Tunnel1, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.15.2 192.168.1.1 UP 4d17h S
1 172.17.35.2 192.168.1.3 UP never D
R2#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 310172416
192.168.0.3 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
P 192.168.20.0/24, 1 successors, FD is 128256
via Connected, Loopback0
R2#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 00:00:14, expire 00:00:51
Type: dynamic, Flags: router nat
NBMA address: 172.16.35.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 00:00:12, expire 00:00:53
Type: dynamic, Flags: router nat
NBMA address: 172.17.35.2
R3
R3#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.35.2 YES NVRAM up up
FastEthernet0/1 172.17.35.2 YES NVRAM up up
Loopback0 192.168.30.254 YES NVRAM up up
Tunnel0 192.168.0.3 YES NVRAM up up
Tunnel1 192.168.1.3 YES NVRAM up up
R3#sh dmvpn
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.15.2 192.168.0.1 UP 4d17h S
1 172.16.25.2 192.168.0.2 UP never D
Tunnel1, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.15.2 192.168.1.1 UP 4d17h S
1 172.17.25.2 192.168.1.2 UP never D
R3#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 00:00:43, expire 00:00:22
Type: dynamic, Flags: router nat
NBMA address: 172.16.25.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 00:01:02, expire 00:00:48
Type: dynamic, Flags: router nat implicit used
NBMA address: 172.17.25.2

DMVPN spoke to spoke connection

Hi Everyone,
Need to confirm on DMVPN say if R1 is hub and R2 and R3 are spoke.
IF R2 need to talk to R3 it will use NHRP and will go to R3 via R1 ?
Is there any way that R2 can talk to R3 directly using NHRP?
Regards
MAhesh

You mix some functionalities here:
NHRP is used in DMVPN to register the spokes on the hub and give them the possibility to ask the hub for actual spoke-addresses. With that, NHRP is always between the spokes and the hub. just see this as control-traffic. There is no need to takl spoke-to-spoke here.
When the spoke is aware of the public IP of a different spoke it want's to talk to, then the IPSec-connection is buid directly between the spokes.
Sent from Cisco Technical Support iPad App

DMVPN spoke to spoke not established

In the topology attached I am advertising tunnel ip and loopbacks for the specific hub and spokes in their eigrp , there is connectivity between all but still Eigrp routes are not coming and its flapping.ISAKMP is on , tunnel is also up.I am also attaching hub and spoke configs and topology for your reference.
This is the error message:
7:09.791: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:57:11.351: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.12.1, prot=50, spi=0x77DF7896(2011134102), srcaddr        in use settings ={Transport, }
        conn id: 29, flow_id: SW:29, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4405256/3495)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
*Mar 1 00:57:21.895: YPTO-6-PRINTABORT: deletion caused early termination of show output for identity
R1#
*Mar 1 00:09:49.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:09:50.051: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency
*Mar 1 00:11:00.311: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:11:00.775: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is up: new adjacency
*Mar 1 00:11:09.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:11:11.551: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

Hi Gurus,
I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
I am planning to have just 1 ISR (ISR1) and ISP1 being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
is this possible with the ISRs?
Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
BGP won't be used.
I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2. Please correct me if I am wrong....many thanks.
Any ideas will be greatly appreciated..
Civicfan

I found the problem but dont know how to fix it now!
Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xx
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address SiteA
crypto map outside_map 10 set peer 212.89.235.yy
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
If I remove:
no crypto map outside_map 9 match address SiteA
the IPSEC through 2nd ISP on siteA is working correct

DMVPN spoke problem

Hi,
One of the spoke routers (871 ISR c870-advipservicesk9-mz.124-24.T8.bin) randomly loses DMVPN
connection to Hub1 (2901 ISR). When connection is lost Hub's real IP address is reachable, IPSec
Phase 1 and 2 seems ok, spoke's tunnel interface IP shows registered.
"show crypto ipses sa" on spoke shows 0 decaps, encaps value increments.
On Hub1 both decaps and encaps values of tunnel with spoke are incremented. Another DMVPN tunnel
on the same spoke to Hub2 is working fine.
Any ideas?

I can tell you that auto-enroll will not work unless your CA server is set to grant auto and currently has a shadow (rollover cert) ready to install. However that does not expalin whay the manual process failed. You need to address that before you attemp to correct the Auto-Enroll.

DMVPN - Spoke to spoke direct tunnel

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

DMVPN - Spoke to Spoke tunnel

Hi,
Once a Spoke to Spoke tunnel is established, what happens if the Hub goes down? Does the Spoke to Spoke tunnel remain active?

For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end

DMVPN Spoke with 2 internet link

Hi All,
I am stuck in a situation where we have 2 hubs one in HQ and one in DR site. Both hubs are configured to have different dmvpn cloud. We have some branches with two internet links one adsl and another 3G.
I want to setup dmvpn in such a way so that if adsl goes down then dmvpn tuneel should come up via 3G.
What I know is i would require different tunnels on spoke for achieving this. Currently on each spoke I have two tunnels one terminates on HQ and another terminates on DR and both are live. I am managing routes via eigrp.
My question is that do I need to create another dmvpn cloud for this to work as I can not use same subnet IP on new tunnels which will be having 3G as source ? or shall I create new subnet for tunnels which will work over 3G ??
if i create new tunnel for 3G network then what will be the configuration on HQ & DR as we have only on internet link on DR & HO.
can anybody help me on this ?
just need idea how to achive it. my full dmvpn is working over internet no private mpls....

Hi Jain,
You can let HQ and DR in same DMVPN Cloud. In HQ, do Static NHRP MAP to DR and vise versa.
Spoke routers, create two static NHRP Map and NHS.
Tunnel0
description Spoke
ip nhrp map multicast HQ-WAN-IP
ip nhrp map HQ-Tunnel-IP HQ-WAN-IP
ip nhrp map multicast DR-WAN-IP
ip nhrp map DR-Tunnel-IP DR-WAN-IP
ip nhrp network-id 123
ip nhrp holdtime 60
ip nhrp nhs HQ-Tunnel-IP
ip nhrp nhs DR-Tunnel-IP
This will allow you use one DMVPN cloud for two Hub.
Secondly, for spoke failover to 3G, you would need to create another DMVPN Tunnel at HUB and SPOKE router
At HUB, use different Tunnel IP, but tunnel source will be same. In order this to work, i will suggest you to use DMVPN over IPSec. Use Diffrent tunnel key and ip nhrp network-id for both tunnel interface. Use "shared" command when apply ipsec policy in Tunnel interface.
Sample config at Hub( I only show the difference in Tunnel config)
tunne0
description ***Primary Tunnel***
ip address x.x.x.x
ip nhrp network-id 1
tunnel key 1
tunnel protection ipsec profile TN-DMVPN shared
tunne1
description ***Primary Tunnel***
ip address y.y.y.y
ip nhrp network-id 2
tunnel key 2
tunnel protection ipsec profile TN-DMVPN shared
At Spoke, you configure same as primary tunnel, but make sure to change network-id and tunnel key. Here, you may no need to use "shared" command when apply ipsec policy
Hope this helps.
Regards,
Nagis

Cisco DMVPN Spoke ISP Redundancy

Similar Messages

Maybe you are looking for