Hi all,
We have implemented a small DMVPN network (1 hub + 3 spokes, going to get bigger) using 877s at all sites (not my choice of platform, what the customer would pay for). It seemed to be working fine, but occasionally a couple of the spokes drop out completely & don't come back. Looking into it, I found that if I do a 'sh crypto map', there is no output from the spokes that are down, as opposed to the usual "Tunnel0-head-0" output. One way of restoring connectivity is to do:
! conf t int t0 no tunnel protection ... tunnel protection ... !
I presume that reloading the router might have the same effect, but have been unable to test this yet as the routers are still in use & running over the backup circuits.
The only difference I can see between the sites that stay up & the ones which go down is that the ones with problems also have a statically defined IPSec VPN to another site. i.e. the mGRE tunnel has IPSec protection configured, with a source of Dialer0, and Dialer0 also has a crypto map applied to it for connectivity to a site that is not yet on the DMVPN network.
I don't want to go into detailed config yet, but it is exaclty as I have found documented on cisco.com & other sites, jsut with a 'traditional' vpn configured as well.
My question to the group is - has anyone else encountered this problem & do they have any suggestions for a work around?
(while we could reconfigure network to use ezvpn/static vpn tunnels, we want to try to get the DMVPN working properly!)