Всем привет.
Есть настроенный DMVPN между cisco 2821 и cisco 2811. Хаб cisco 2821, спок cisco 2811 за провайдерским натом.
Периодически туннель падает и восстанавливается только после перезагрузки спока.
Хаб
Код:
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_IVS-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)
Cisco 2821 (revision 1.0) with 243712K/18432K bytes of memory.
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
1 cisco Special Services Engine(s)
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
1000944K bytes of ATA CompactFlash (Read/Write)
Спок
Код:
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_IVS-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)
Cisco 2811 (revision 53.50) with 247808K/14336K bytes of memory.
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
4 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity disabled.
239K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
настройки интерфейса на хабе
Код:
interface Tunnel0
description -- DMVPN cloud --
bandwidth 50000
ip address 172.20.0.1 255.255.255.0
no ip redirects
ip mtu 1416
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 FOREIGRP
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication xxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp registration no-unique
ip nhrp registration timeout 120
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
load-interval 30
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
end
Настройки интерфеса на споке
Код:
interface Tunnel0
description -- DMVPN cloud --
bandwidth 11000
ip address 172.20.0.2 255.255.255.0
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 FOREIGRP
ip nhrp authentication xxxxxxxx
ip nhrp map multicast 7.7.7.7
ip nhrp map 172.20.0.1 7.7.7.7
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 172.20.0.1
ip nhrp registration no-unique
ip nhrp registration timeout 120
ip nhrp shortcut
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
load-interval 30
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
end
после падения туннеля на хабе он находится в таком состоянии:
Код:
sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Pending DMVPN Sessions:
Interface: Tunnel0
IKEv1 SA: local 7.7.7.7/4500 remote 3.3.3.3/62296 Active
Capabilities:DN connid:5990 lifetime:23:59:57
IKEv1 SA: local 7.7.7.7/4500 remote 3.3.3.3/62296 Inactive
Capabilities:DN connid:5989 lifetime:0
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 192.168.5.11
IPSEC FLOW: permit 47 host 7.7.7.7 host 3.3.3.3
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Outbound SPI : 0x 0, transform :
Socket State: Open
Interface: Tunnel0
на споке в это же время:
Код:
sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Intferface Tunnel0 is up/up, Addr. is 172.20.0.2, VRF ""
Tunnel Src./Dest. addr: 192.168.5.11/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN"
IPv4 Registration Timer: 120 seconds
IPv4 NHS: 172.20.0.1 E
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 7.7.7.7 172.20.0.1 IKE 23:38:23 S 172.20.0.1/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x4A715618]
Crypto Session Status: DOWN
fvrf: (none), IPSEC FLOW: permit 47 host 192.168.5.11 host 7.7.7.7
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 268 life (KB/Sec) 0/0
Outbound SPI : 0x 0, transform :
Socket State: Closed
Pending DMVPN Sessions:
Interface: Tunnel0
Если на хабе и споке выключить и снова включить туннельные интерфейсы, DMVPN не поднимается, состояние туннеля аналогичное приведенному выше, при перезагрузке спока туннель поднимается и может работать от нескольких часов до нескольких суток. Можно что-то сделать для поднятия упавшего туннеля не перезагружая спок?