DMVPN Single Hub failover

Hi All,
I have my hub (HQ) and spoke (RO) network. My RO has several WAN links which are extremely unreliable. I get an IP-address via DHCP on those interfaces and I'm behind a NAT.
However I would like to monitor the devices in my RO so DMVPN would be a good sollution. When I configure my DMVPN I cant specify my source address/interface because I have multiple and those might be non-routable addresses.
How can I solve this? Is it possible to solve? If not, is it possible to solve when all my WAN addresses are routable (still behind NAT and DHCP).

I did some research and if i'm corrent there are three ways to solve this issue;
1: Multiple tunnels (one for each uplink).
2: Interface state tracking
3: Something with vrf or nhrp
If someone could push me in the right direction It would be much appreciated.

Similar Messages

How-To: Comparing DMVPN Single & Dual Tier Architectures - IPSec VPN & mGRE Termination

Greetings to everyone,
I'd like to share a recent article we published that covers the differences between Single and Dual Tier DMVPN deployments. The article aims to help engineers understand the differences at the IPSec VPN level and its termination on the HUB router.
Those interested can following the link below to read up on this hot topic:
Firewall.cx - Comparing DMVPN Single & Dual Tier Architectures - IPSec VPN & mGRE Termination
Topics Covered (Diagram included for every scenario):
- Single Tier Headend, How IPSec Tunnel mode terminate on Hub
- Single Tier Headend, How mGRE Tunnels terminate on Hub
- Dual Tier Headend, How IPSec Tunnel mode terminate on Frontend Router
- Dual Tier Headend, How mGRE Tunnels terminate on Hub
- Links to similar articles that will surely interest
Feedback is always welcome.
Thanks,
Chris.

You might be running a bug, try to check the Cisco Bug Toolkit for a bug (Or Cisco TAC).
Also try to capture the debug as the why the VPN is failing. Since EIGRP packets flow continuously the tunnel should not go down.
Regards
Farrukh

DMVPN DUAL HUB SINGLE CLOUD CONFIGURATION EXAMPLE

Hi,
I am looking for a simple configuration for a dmvpn network running eigrp with two hubs on a single cloud.
Do i just create two nhs entries, nhrp map entries, and two multicast entries on the spoke router tunnel interfaces? And on the hub routers add a delay on the tunnel interfaces for the one i prefer to be the secondary?
I am looking for confirmation and any other tweaks i need to make. i cant seem to find any examples.
Thanks in advance!!

Thanks Paul, I have looked over this design guide as this was the fist place i went. however, i cannot find a configuration example for dual hub/single cloud.
i see the high level design and know you can do it. but it doesnt show what the configuration would look like...unless i am just reading over it.
Thanks

DMVPN dual hub - qos preclasify limitation

Hi,
Reading the DMVPN design guide I found: "qos pre-classify is not supported in an architecture that implements two different headends for mGRE tunnels and VPN tunnels."
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf
Currently i am using a single headed DMVPN design with qos preclasify configured on the hub and voice works just perfect. My concern is with regards to implementing a secondary hub for redundancy. How will the qos be handled if the qos preclasify is not supported?
Thanks,

I'm not aware of any limiation if you're using two separate tunnel interfaces (as opposed to two NHRP mappings on a single tunnel interface).
Nor does:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-per-tunnel-qos.html#GUID-182BD32F-56D4-479C-BFEF-B9738291E046
mention any.
If in doubt, please open a TAC case.

Event Hub failover implementation

EventProcessorHost provides a persistent checkpoint storage in blob for failover. But this is only a convenience for failover not failover itself.
Event Hub does not have similar concept as Message Queue paired namespaces for queue redundancy (failover). How would one implement Event Hub redundancy easily?

hi - thanks for your suggestion, but adding "UserProperties" JSON array to the content of the message does not seem to work. When the message is received through IEventProcessor.ProcessEventsAsync()
the Properties dictionary on the EventData instance is still empty.
Please let me clarify what I am trying to achieve here.
I have a plain HTTP client (C++ client) sending messages to the Event Hub via HTTPS. I am trying to achieve similar to
this as I would in a C# client with the service bus client library for event hub:
SomeEventBody body = new SomeEventBody { SomeData = 100 };
EventData data = new EventData(body, serializer) //Object and serializer
// *** I WANT TO SET PROPERTIES ON THE EVENTDATA LIKE THIS ***
data.Properties.Add("Type", "Telemetry_" + DateTime.Now.ToLongTimeString());
await client.SendAsync(data); // Send single message async
When this message is received at the event hub processor, I am able to access EventData.Properties and use the "Type" property in the dictionary.
I want to be able to set the same "Type" property when I send this message from a plain HTTP client, and when the message is received by the event processor I want to be able to read the value out of the dictionary in the same way. I can't though
- because EventData.Properties is always just an empty collection

DMVPN Dual Hub

Hello
I have one Hub Router 2901 with 2 Internet Provider whichare connected by 2 off. IP`s. If the primary connection goes down the router switch to the second connection on the wan interface. This works perfect.
Now my problem.
I have 4 Spoke-Router 881 3G wichshould be connected by DMVPN with the Hub. DMVPN works perfect on the primary connection. If the primary connection goes down and the second (backup) on. DMVPN is down.
is ist possible to connect the tunnel interface to 2 adresses? If i insert a 2nd ip nhrp map und ip nhrp multicast i cannnot send any data over the Tunnel.
thanks for help !!!
interface Tunnel1
description DMVPN zu ASCOM-HUB1
bandwidth 100000
ip address 10.100.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
ip nhrp authentication NhrP-K3y
ip nhrp map multicast XXX.XXX.XXX.XXX
ip nhrp map 10.100.0.250 XXX.XXX.XXX.XXX
ip nhrp network-id 1
ip nhrp nhs 10.100.0.250
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN

Hello
Thanks
I have 2 differend ISP`s with differend Ip`s.
So i insert a small photo how it looks like. The orange VPN`s work fine but if the Telekom crash and the hub switch to UPC the DMVPN is not working.
Here is the config from the hub.
So is it possible to insert more than one ip nhrp map address?
Thanks
interface Tunnel0
description HUB1-DMVPN
bandwidth 1000000
bandwidth inherit
ip address 10.100.0.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip verify unicast reverse-path
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
no ip split-horizon eigrp 1
ip nhrp authentication XXXXXX
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly in
ip tcp adjust-mss 1360
delay 10
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN

Dual DMVPN Dual Hub Request for Help?

                   Hello Anyone with DMVPN experience,
                    Can you please have a look at my DMVPN queries in the attached document?
                    Thank you
                    Regards
                    Phuc Le

Hi Phuc Le,
I found for you a quite detailed design and implementation guide. Please read carefully and implement a test bed. I'm sure you will get support for specific issues if you run into problems.
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
These documents are carefully written and I never encountered any problems with such reference implementations.
Also: Please don't formulate your questions in an attached document, this makes it diffucult for us to give you answers.
Best regards, MiKa

Dmvpn or getvpn or DVTI

Hello
actually i have situation as discuss below and I'm confused about design and implement which VPN topology i have to choose DMVPN, GETVPN or DVTI
i have 4 branch and 1 main site, branches have 2 connectivity to HQ one via INTERNET an another via MPLS, so i want to have Fail-over on links and also have secure tunnel on both ways
Best Regards
John Mayer

John,
Contrary to what Karsten suggested, I think DMVPN would be a good way to go with 15 sites. Once you get everything up and working, it is extremely easy to add new sites with no changes needed on your Hub router. Here's a guide which discusses DMVPN configured in a dual Hub dual cloud scenario: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubdual
You could easily use EIGRP to exchange routes and configure failover if one of the Hubs or tunnels goes down. This document discusses having two physical Hubs, but you can easily configure both DMVPN clouds on a single Hub router.
Here's a document which has some DMVPN FAQs: https://supportforums.cisco.com/document/50111/dynamic-multipoint-vpn-dmvpn-design-and-positioning-questions-and-answers-live#Q._What_are_the_advantagesdisadvantages_of_using_DMVPN_or_VTI
HTH,
Frank

DMVPN + MPLS best-path selection

Dear Community
We're in the process of deploying DMVPN as a backup solution to MPLS. All that is working great!
The DMVPN wan is dual-cloud, with 2 hub routers in each cloud. Phase 3 (nhrp shortcut) is enabled on all the spokes.
For routing, all the customer subnets are advertised in MPLS, whereas for DMVPN hub advertises only a summary to 10.0.0.0/8. The protocol for both is BGP. For DMVPN, the hub routers resides in one AS (65002) and all the spokes another common AS 65102. DMVPN is therefore peered eBGP hub > spoke.
For customers connected to MPLS, the DMVPN serves as backup only solution. Best-path selection by longest prefix match.
We have other customers coming on board who wish to join the same WAN but don't have the $$$ for MPLS so are opting for DMVPN only.
Now, I have a requirement to enable spoke-to-spoke for a DMVPN only site (spokeA) to an MPLS site (spokeB). The problem is it doesn't seem to work properly as the hub router sees the best path to spokeB site via MPLS, not via DMVPN. The spoke-to-spoke is never formed, and remains spokeA > hub > mpls > spokeB. The return path is better = spokeB > DMVPN > hub > spokeA (this is because spokeB sees no route from MPLS for spokeA, so follows 10.0.0.0/8) route.
I look for any feedback that can help to meet this requirement?
And if any advice on the general design would be really appreciated.
Thanks a lot!
Phil

Phil,
I did a short lab around this ... wanted to make sure I'm not saying something stupid.
While I can't claim it's the _optimal_ solution for your setup it seems to work in my lab.
Spoke1 LAN 192.168.101.0/24 (AS 65001)
Spoke2 LAN 192.168.102.0/24 (AS 65002)
HUB LAN 192.168.111.0/24 (AS 65000)
192.168.1.0/24 DMVPN subnet.
A single (i)VRF - DMVPN exists on hub, only and is assigned only to DMVPN tunnel interface.
Excuse a few hacks a had to use... default routed via default-originate for example :-)
Hub
R10-P#sh run int tu0
Building configuration...
Current configuration : 281 bytes
interface Tunnel0
vrf forwarding DMVPN
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile PRO
end
R10-P#sh run | s r b
router bgp 65000
bgp log-neighbor-changes
network 192.168.111.0
redistribute static
neighbor 10.112.112.1 remote-as 65001
neighbor 10.112.112.1 route-map SPOKES_MPLS in
default-information originate
address-family ipv4 vrf DMVPN
neighbor 192.168.1.101 remote-as 65001
neighbor 192.168.1.101 activate
neighbor 192.168.1.102 remote-as 65002
neighbor 192.168.1.102 activate
exit-address-family
R10-P#sh run | s vrf defini
vrf definition DMVPN
rd 1:1
route-target export 100:1
route-target import 100:1
address-family ipv4
import ipv4 unicast map DEFAULT
export ipv4 unicast map SPOKE_SUBNETS
route-target export 100:1
route-target import 100:1
exit-address-family
address-family ipv6
route-target export 100:1
route-target import 100:1
exit-address-family
Result on spoke
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 [AS 65000] 5 msec 10 msec 2 msec
2 192.168.1.102 [AS 65000] 4 msec * 5 msec
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.102 [AS 65000] 6 msec * 6 msec
routing on hub
(sanitized)
R10-P# sho ip route
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.100.100.2
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
B 192.168.101.0/24 [20/0] via 10.112.112.1, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102 (DMVPN), 00:00:03
192.168.111.0/24 is variably subnetted, 2 subnets, 2 masks
R10-P# sho ip route vrf DMVPN
Routing Table: DMVPN
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.100.100.2, 00:06:40
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
B 192.168.101.0/24 [20/0] via 192.168.1.101, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102, 00:06:25

"sh ip ospf nei" on spokes shows only HUBS

Hi there!
Not so long I've built Single-HUB-Single-cloud DmVPN with 12 spokes. Everything was working file until I decided to configure one of the spokes as a BDR in the same cloud.
Now sh ip ospf nei on HUBS shows all of routers as FULL/DROTHER and FULL/DR/BDR respectively. But on each of spokes it shows records about HUBS only. Almost all of SPOKES can ping each other. But even after this there no changes in sh ip ospf nei output, still HUBS only.
In most cases traffic from SPOKE to SPOKE goes through DR and it does not have any matter how much times i'm running the ping, trace or other traffic
SPOKE7#trace 172.18.15.1
Type escape sequence to abort.
Tracing the route to 172.18.15.1
1 172.255.255.1.rdns.as15003.net (172.255.255.1) 44 msec
172.255.255.11.rdns.as15003.net (172.255.255.11) 144 msec 148 msec
and still
SPOKE7#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.0.1 10 FULL/DR 00:00:36 172.255.255.1 Tunnel0
1.2.1.1 5 FULL/BDR 00:00:34 172.255.255.5 Tunnel0
=============================================================
I would much appreciate for any assistance in solving of this issue.
The configs and debug outputs are attached in txt-files to make the post more readable. If it's require I'll paste the data as a plain text.
Please do not hesitate to request additional debugging information.

Roman,
I did manage to find one of my old labs and transfer config to OSPF from EIGRP.
Spoke_R4#debug nhrp packet
NHRP activity debugging is on
Spoke_R4#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:04:08, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:04:08, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
Spoke_R4#traceroute 192.168.133.1 source l0
Type escape sequence to abort.
Tracing the route to 192.168.133.1
VRF info: (vrf in name/id, vrf out name/id)
1
*Apr 22 12:58:54.872: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 72
*Apr 22 12:58:54.872: src: 172.16.0.104, dst: 172.16.0.1
*Apr 22 12:58:54.872: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Apr 22 12:58:54.872: shtl: 4(NSAP), sstl: 0(NSAP)
*Apr 22 12:58:54.872: pktsz: 72 extoff: 52
*Apr 22 12:58:54.872: (M) flags: "router auth src-stable nat ", reqid: 4
*Apr 22 12:58:54.872: src NBMA: 10.0.0.104
*Apr 22 12:58:54.872: src protocol: 172.16.0.104, dst protocol: 172.16.0.103
*Apr 22 12:58:54.872: (C-1) code: no error(0)
*Apr 22 12:58:54.872: prefix: 32, mtu: 17916, hd_time: 600
Apr 22 12:58:54.872: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Apr 22 12:58:54.936: CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.103:500 Id: 10.0.0.103
*Apr 22 12:58:54.956: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 120
*Apr 22 12:58:54.956: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Apr 22 12:58:54.956: shtl: 4(NSAP), sstl: 0(NSAP)
*Apr 22 12:58:54.956: pktsz: 120 extoff: 60
*pr 22 12:58:54.956: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 4
*Apr 22 12:58:54.956: src NBMA: 10.0.0.104
*Apr 22 12:58:54.956: src protocol: 172.16.0.104, dst protocol: 172.16.0.103
*Apr 22 12:58:54.956: (C-1) code: no error(0)
*Apr 22 12:58:54.956: prefix: 32, mtu: 17916, hd_time: 600
Apr 22 12:58:54.956: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr 22 12:58:54.956: client NBMA: 10.0.0.103
*Apr 22 12:58:54.956: client protocol: 172.16.0.103 *
172.16.0.103 12 msec *
Spoke_R4#
Spoke_R4#sh ip nhr
Spoke_R4#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:04:28, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:04:28, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
172.16.0.103/32 via 172.16.0.103
Tunnel0 created 00:00:16, expire 00:09:44
Type: dynamic, Flags: router used
NBMA address: 10.0.0.103
Spoke_R4#
Spoke_R4#
Spoke_R4#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:04:31, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:04:31, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
172.16.0.103/32 via 172.16.0.103
Tunnel0 created 00:00:18, expire 00:09:41
Type: dynamic, Flags: router used
NBMA address: 10.0.0.103
Spoke_R4#
Spoke_R4#
Spoke_R4#traceroute 192.168.133.1 source l0
Type escape sequence to abort.
Tracing the route to 192.168.133.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.0.103 20 msec * 12 msec
Spoke_R4#
Spoke_R4#sh ip route 192.168.133.1
Routing entry for 192.168.133.1/32
Known via "ospf 1", distance 110, metric 1001, type intra area
Last update from 172.16.0.103 on Tunnel0, 00:05:53 ago
Routing Descriptor Blocks:
* 172.16.0.103, from 192.168.133.1, 00:05:53 ago, via Tunnel0
Route metric is 1001, traffic share count is 1
Routing on spoke4 shows that one should go to spoke3 (172.16.0.3).
This will trigger NHRP resolution process - demonstrated in debugs.

DMVPN and NAT

Hi All,
I am trying out a simulation on my own at the moment to try figure out if it is possible for a Router at a branch office running DMVPN to have a NAT setting such that if anyone accesses this NAT, it will be directed to a server at the HQ office.
Here is the full picture. I have multiple spokes in my DMVPN design with a single Hub. All spokes are able to access each other so this is a full mesh design. Each routers have their own Internet access so I would have a NAT Overload rule. In the real world, two of the spokes (SPOKE A & B) needs to route via one of these spoke (SPOKE C) in order to reach the hub because latency-wise, it is way better than going direct. Because the management now wants to build more web services but allow Internet users to access via one of the the remote spokes at SPOKE A & B. Sounds easy if i create a static NAT but if I create a static NAT rule at one of the remote spokes, the return traffic will be asymmetric. Problem is that every routers will have their own Internet access, by the time the return traffic heads back, the hub router would have already routed out via its own Internet because the source IP is public.
Is there anyway that we can configure the NAT rule on the remote spokes so that it will also do a source NAT together with a destination NAT so that the return traffic will return to where it originated from (the remote spoke which has the static NAT)? Or is there any alternative solution? I don't mind hearing the pro and cons.
Thanks in advance!
Sent from Cisco Technical Support iPad App

Desmond,
I hope I'm understanding the problem :-)
Mind that I'm talking about concepts here, I think technically those will work, but it's not something I've tested.
Re. idea 1)
When I was suggesting reverse proxy I was not suggesting WCCP, although it would be cool :-)
NAT + Squid would be sufficent.
I.e.
Say the real sever IP is A.
Squid's private IP address is B.
Squid's public IP is C.
What I had it mind is that when connecting on spoke X, everyone would be using IP address of C (from outside/DMVPN).
That would be statically translated to B.
Now B would go to A (real or private) to get to the actual content (you can also implment cache'ing on squid to further optimize the link utilization).
A replies to B, B replies to whoever contacted them over internet (by going out through NAT).
Re. idea 2
Switching to NVI NAT could be an idea, you don't have to specify "inside" and "outside".
Marcin

OC4J Instances in Cold Failover Cluster

I'm running OAS 10.1.2.2.0 on a windows 2003 server under a cold failover clustered environment and was wondering... Is it recommended to have one web application deployed in it's own separate instance? For example, webapp1 deployed to instance1 and webapp2 deployed to instance2? Or would it be better to have multiple web applications deployed to one instance?
Thanks for any thoughts!

user7575753 wrote:
I'm running OAS 10.1.2.2.0 on a windows 2003 server under a cold failover clustered environment and was wondering... Is it recommended to have one web application deployed in it's own separate instance? For example, webapp1 deployed to instance1 and webapp2 deployed to instance2? Or would it be better to have multiple web applications deployed to one instance?
Thanks for any thoughts!I can say your configuration is ok for single instance failover . Once u like to make cluster and load balance , OAS hs managed and non-managed cluster.
For Managed Cluster , you must setup either Oracle WebCache or F5 Big/IP . With regard to non-managed cluster, that means nothing required to share .

Should OS X server act as a single router/server instance?

Services like mail, iChat AV and web are meant to be visible to both internal and external users, whereas file, print and others probably are not. Given that I run a typical 5-desktops small company with one server and a DSL internet connection, how should OS X server be set up?
Having a dedicated modem/router gives me better security, but requires me to port-forward all kinds of data towards the server. While some protocols like http work pretty well using the setup, others like IPsec and iChat are more error-prone or usually do not work over NAT.
Using the optional USB ethernet adapter, I could use the server as a single hub between internet and intranet, dual-homed between DSL and internal network. Would that expose services and data in a insecure way, if I had the firewall turned on?
Mac mini server is great, but how is it supposed to work in a scenario like this? What's your opinion? Regards,
Christian

Use a firewall-gateway. It's easier.
If you acquire a gateway with a VPN server embedded, then you can avoid the worst of dealing with NAT.
If you search the forums, you'll find me recommending a firewall-gateway pretty regularly, and in the threads where folks have encountered configuration and IP routing issues when trying to use their Mac as an expensive and comparatively awkward IP router.
If you do choose to use your Mac as a gateway-firewall, Server Admin can open ports on all controllers, meaning you can expose protocols to the Internet, and where you might not want to. And there are cases were a reconfiguration or an "innocent" software installation or reconfiguration can open up an exposure; having humans operating as a matter of course directly on a box providing gateway-firewall services is not without its risks.
Here is why I recommend an external gateway-firewall box.

Error in creating Failover Clutser - Windows Server 2012 R2

Hello,
I have created a single node Failover Cluster in Windows Server 2012 R2. When I am trying to add second node to this cluster, it gives the error: “Cluster
service on node Node1did not reach the running state. The error code is 0x5b4. For more information check the cluster log and the system event log from node Node1. This operation returned because the timeout period expired.
The server 'Node1.mydomain.com' could not be added to the cluster.
An error occurred while adding node 'Node1.mydomain.com' to cluster 'My_Cluster'.
This operation returned because the timeout period expired.”
I have attached the screenshots of Event ID.
Firewalls are turned off on both servers (Node1 and Node2). I have successfully created single node clusters on both servers, but when I try to add second node, it
gives error.
Before starting the creation of new cluster I don't forget to Destroy previous cluster and run "Clear-ClusterNode".
Every time they successfully pass the Validate Configuration Test, but give the error on creating failover cluster.
I'm using the service account which has full permissions on CNU and both nodes, plus it has permissions to create computer accounts in AD.
Can anyone please help?
Thank you.
Best regards,
Hasan Bin Hasib

Thank you fellows!
The issue just resolved when I moved the Node1 and Node2 on the same host, and the cluster was successfully created.
After the creation of cluster, as soon as I moved the Node2 to some other host, then the Failover Cluster Manager console started showing Node2 is Down. Error: Cluster node Node2 could not to join the cluster because it failed
to communicate over the network with any other node in the cluster. Verify the network connectivity and configuration of any network firewalls. Event ID: 1653
IP Address of Node1: 172.16.1.186 ; IP Address of Node2: 172.16.1.187
And yes, the ‘Microsoft Failover Cluster Virtual Adapter Performance Filter’ is already disabled on all virtual adapters. All firewalls are disabled, no antivirus installed. I’m using same type of NICs.
I don’t know where the blockage is, and I am badly stuck. Please help.
Thank you.
~ Hasan Bin Hasib

Oracle Infrastructure in Cold Failover Cluster

Hello,
I have browsed through the Oracle docs for High Availability, but I cannot find any information abourt achieving that CFC HA for OAS Infrastructura using RedHat EL AS and HP Serviceguard...
Can anyone help me?
thanks in advance, and best regards

user7575753 wrote:
I'm running OAS 10.1.2.2.0 on a windows 2003 server under a cold failover clustered environment and was wondering... Is it recommended to have one web application deployed in it's own separate instance? For example, webapp1 deployed to instance1 and webapp2 deployed to instance2? Or would it be better to have multiple web applications deployed to one instance?
Thanks for any thoughts!I can say your configuration is ok for single instance failover . Once u like to make cluster and load balance , OAS hs managed and non-managed cluster.
For Managed Cluster , you must setup either Oracle WebCache or F5 Big/IP . With regard to non-managed cluster, that means nothing required to share .

DMVPN Single Hub failover

Similar Messages

Maybe you are looking for