| [HELP] EIGRP IssuesHello everyone...
I have been willing to expend our backup tunnel subnet from a /24 to a /22. There is an issue that I will run into once the change has been done. The only changes that Im making in the DR is assigning a diffrent Ip address to the tunnel interface. Also adding that same subnet to the EIGRP table, and removing the old one.
example
int tu100
ip address 192.168.4.1 255.255.252.0
exit
router eigrp 100
no network 192.168.17.0 0.0.0.255
network 192.168.4.0 0.0.3.255
end
we have about 100 office that the same information needs to be updated, when I tried it at our office with these cnages.
int tu100
ip address 192.168.4.77 255.255.252.0
ip nhrp nhs 192.168.4.1
exit
router eigrp 100
network 192.168.4.0 0.0.3.255
no network 192.168.17.0
end
When I do that change the tunnel 100 keeps dropping every 50 seconds or so.
this is what I found in the log of the office router
Jul 3 07:44:15.188: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.4.1 (Tunnel100) is down: retry limit exceeded
We had this issue in the past where we had to reload all the peering routers... but I cannot reload 100 sites since most of them are 24 hr.
Im not an expert in EIGRP but is there an workaround on this? |
|
|
|
| Have you checked the EIGRP timers (i.e., hello, etc...)?
Jay |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to krock83
said by krock83:I have been willing to expend our backup tunnel subnet from a /24 to a /22.
Probably little off topic, however I wonder why you need to have /24 or even /22 for tunnel interface subnets. As I recall, tunnel is simply a point-to-point pipe which /30 should be sufficient. |
|
| reply to krock83
we run DMVPN and every new site that we open gets a new ip address,
lets say we open up a new office in Miami we would create tu100 and assign ip address of 192.168.4.128 255.255.255.0
that is why I need bigger subnet since Im running out of /24 |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to DocLarge
said by DocLarge:Have you checked the EIGRP timers (i.e., hello, etc...)?
Also verify there is no ACL blocking legitimate traffic. Debug command would be helpful. Either way this type of work should be done during off-hour or approved maintenance time window. |
|
| reply to krock83
There are no ACL's blocking it because once you reboot the peering router everything works fine. I'm just trying to figure out why a reboot is needed for this to work. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | If I had to guess, the routers needed to reset the tunnel in order to start using the modified configuration. With that in mind, perhaps simply reset the tunnels (shut and no shut the tunnel interfaces) would be alternative to reboot all routers. |
|
| reply to krock83
I tried that multiple times shut and leave it in that state for a few min and bring it back up, but it wouldnt stay up for more then a few min and it would reset again, and again... and so on... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to krock83
said by krock83:We had this issue in the past where we had to reload all the peering routers... but I cannot reload 100 sites since most of them are 24 hr.
Personally I never like GRE or IP-Sec VPN tunnel approach compared to MPLS solution due to reliability and scability aspects. If money is an issue, you can shop around to get the best deal.
As an idea, you can check out Earthlink (»www.earthlinkbusiness.com/products/mpls.xea) since they provide MPLS over DSL for those that cannot afford dedicated T1 or DS3 circuits. Note that such service may not be reliable however it is probably still better than DMVPN solution. |
|
| reply to krock83
I have been pushing the business to agree on MPLS, but their point of view is "its working fine now, I don't care what problem you have we are not paying for MPLS". sooo I will have to send out a notification that we will be reloading again 
Maybe they will get tired of the constant reboot and go with my idea of MPLS....
Thanks aryoba.... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | said by krock83:I have been pushing the business to agree on MPLS, but their point of view is "its working fine now, I don't care what problem you have we are not paying for MPLS". sooo I will have to send out a notification that we will be reloading again
Maybe they will get tired of the constant reboot and go with my idea of MPLS....
Thanks aryoba....
I would assume that the routers run IOS version 12.x. At a point where you get new router running IOS 15.x, be aware that there is a license fee to enable the DMVPN feature. Should your company run MPLS, your company are no longer required to pay this license fee which may save some money |
|
| we are running 15. code and have purchased license for DMVPN, what I didn't know is that we don't need those for MPLS
hmmm.. I wonder what the engineers before me were thinking!!
Thanks for the info |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | As I understood it, routers run IOS 15.x come by default with the IP Base license that support static routes, RIP, and some basic routing/switching/NAT functionality. Should you need EIGRP, you need Advanced IP Services license. Need ZBF, CBAC, IPSec VPN, DMVPN? You need Advanced Security. You can confirm which license your routers have with show license command. |
|
| reply to krock83
Yes, I remember that we had to get a license to unlock EIGRP on the 15.x code for a new location I just turned up. Those run about 249.00 I believe |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to krock83
said by krock83:we are running 15. code and have purchased license for DMVPN, what I didn't know is that we don't need those for MPLS
hmmm.. I wonder what the engineers before me were thinking!!
Thanks for the info
MPLS has nothing to do with either DMVPN or EIGRP. Obviously when the router connects using MPLS, DMVPN is no longer needed which mean you can save money on those Advanced Security license fee.
Depending on the network design, most remote offices and branches don't need to run routing protocol such as EIGRP when those offices are most likely having single connection to the rest of the network since static routes will do just fine. With that in mind, you could also save money on those Advanced IP Services license fee |
|
 TomS_Git-r-donePremium,MVM
join:2002-07-19
London, UK
kudos:4 | reply to krock83
This kind of sounds like a recursive routing issue.
Recursive routing is where the tunnel comes up, and <insert routing protocol> exchanges routes for each side, including the subnet of the WAN, so both ends try to route the tunnel packets over the tunnel (hence recursive) which eventually leads to the tunnel dropping out, and re-establishing once the router realises it can route the tunnel packets via the WAN again. Lather, rinse, repeat.
To verify if its a recursive routing issue, check the routing table of your hub for example and see if it contains any routes for the remote sites WAN connection in it. But in the past I have seen the router identify recursive routes and create log entries as such. Do you see anything like this in your logs?
If this is the case, you'll need to apply a prefix filter to your EIGRP configs to prevent the router advertising anything but its internal networks. That should stop it. A generic one that just covers all of the RFC1918 subnets would probably suffice, since you say you have 100 sites, maintaining individual filters for each site could be a headache. |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:7 | reply to krock83
As I understand your situation... you're going to see this until every DMVPN node is set to /22. When a mismatching node joins the group, "bad things will happen." (change the vpn key so /22 and /24 are different DMVPNs)
You need to set aside a window where you can make these changes across the entire network. The entire network will be screwed up until you're done. I've been there -- luckily, I was working with a frame-relay network instead of DMVPN. (I missed a single router that wasn't on my map.) |
|
TomS_Git-r-donePremium,MVM
join:2002-07-19
London, UK
kudos:4 | reply to TomS_
Well there you go. |
|
| reply to krock83
@ Cramer
I have requested a maintenance window for this implemantaion. Since this is the backup tunnel to the Disaster Recovery side I don't think I will see any outages.
@TomS_
I wish I could experiment to find what the logs say, or do a debug etc but my boss is a little girl and he knows that the reload will fix the issue so I don't have much of a choice here. One of these days (I hope) he will come to a conclusion that finding out what the issue is and fixing it rether then reloading the routers every month would be more beneficial.
For now I will do what he says.. he is the boss not me |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to TomS_
said by TomS_:This kind of sounds like a recursive routing issue.
Recursive routing is where the tunnel comes up, and exchanges routes for each side, including the subnet of the WAN, so both ends try to route the tunnel packets over the tunnel (hence recursive) which eventually leads to the tunnel dropping out, and re-establishing once the router realises it can route the tunnel packets via the WAN again. Lather, rinse, repeat.
I recalled back in the day when I still had to deal with GRE tunnel engineering and support, I had specify the subnets the routers needed to advertise via EIGRP instead of the summarized networks due to this recursive routing situation. So back then I had to configure something like this instead of using network 192.168.0.0 0.0.3.255 command.
network 192.168.0.0 0.0.0.255
network 192.168.1.1 0.0.0.0
Here is the Cisco link to describe the Recursive Routing situation and how to avoid it.
»www.cisco.com/en/US/tech/tk365/t···90.shtml |
|
