This documentation has been moved
DMVPN Tunnel Health Monitoring and Recovery
Download this chapter
DMVPN Tunnel Health Monitoring and RecoveryDMVPN Tunnel Health Monitoring and Recovery
Download the complete book
Cisco IOS Security Configuration Guide: Secure Connectivity PDF, Release 15.0Cisco IOS Security Configuration Guide: Secure Connectivity PDF, Release 15.0 (PDF - 7 MB)
 Feedback

Table Of Contents

DMVPN Tunnel Health Monitoring and Recovery

Finding Feature Information

Contents

Prerequisites for Tunnel Health Monitoring and Recovery

Restrictions for Tunnel Health Monitoring and Recovery

Information About Tunnel Health Monitoring and Recovery

NHRP Extension MIB

DMVPN Syslog Messages

Interface State Control

Interface State Control Configuration Workflow

How to Configure Tunnel Health Monitoring and Recovery

Configuring Interfaces to Generate SNMP NHRP Notifications

Troubleshooting Tips

Configuring Interface State Control on an Interface

Configuration Examples for Tunnel Health Monitoring and Recovery

Example: Configuring SNMP NHRP Notifications

Example: Configuring Interface State Control

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Tunnel Health Monitoring and Recovery


DMVPN Tunnel Health Monitoring and Recovery

First Published: October 2, 2009
Last Updated: February 16, 2010

The Dynamic Multipoint VPN Tunnel Health Monitoring and Recovery feature enhances the ability of the system to monitor and report Dynamic Multipoint VPN (DMVPN) events. It includes support for Simple Network Management Protocol (SNMP) Next Hop Resolution Protocol (NHRP) notifications for critical DMVPN events and support for DMVPN syslog messages. It also enables the system to control the state of the tunnel interface based on the health of the DMVPN tunnels.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Tunnel Health Monitoring and Recovery" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Tunnel Health Monitoring and Recovery

Restrictions for Tunnel Health Monitoring and Recovery

Information About Tunnel Health Monitoring and Recovery

How to Configure Tunnel Health Monitoring and Recovery

Additional References

Feature Information for Tunnel Health Monitoring and Recovery

Prerequisites for Tunnel Health Monitoring and Recovery

SNMP NHRP notifications

SNMP is enabled in the system.

Generic SNMP configurations for Get and Set operations and for notifications must be implemented in the system.

All relevant NHRP traps are enabled.

Restrictions for Tunnel Health Monitoring and Recovery

MIB SNMP

SNMP SET UNDO is not supported.

The MIB Persistence feature that enables the MIB-SNMP data to persist across reloads is not supported. However a virtual persistence for MIB the notification control object happens, because that information is also captured via the configuration command line interface (CLI).

Notifications and syslogs are not virtual routing and forwarding (VRF) aware.

The Rate Limit Exceeded notification does not differentiate between the IPv4 or IPv6 protocol type.

Interface State Control

Interface state control can be configured on leaf spoke nodes only.

Interface state control supports IPv4 only.

Information About Tunnel Health Monitoring and Recovery

NHRP Extension MIB

DMVPN Syslog Messages

Interface State Control

NHRP Extension MIB

The NHRP Extension MIB module comprises objects that maintain redirect-related statistics for both clients and servers, and for the following SNMP notifications for critical DMVPN events:

A spoke perceives that a hub has gone down. This can occur even if the spoke was not previously registered with the hub.

A spoke successfully registers with a hub.

A hub perceives that a spoke has gone down.

A hub perceives that a spoke has come up.

A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has gone down. For example, a spoke-spoke tunnel goes down.

A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has come up. For example, a spoke-spoke tunnel comes up.

The rate limit set for NHRP packets on the interface is exceeded.

The agent implementation of the MIB provides a means to enable and disable specific traps, from either the network management system or the CLI.

DMVPN Syslog Messages

The DMVPN syslog feature provides syslog messages for the following events:

All next-hop state change events. For example, when the system declares that a Next Hop Server (NHS), Next Hop Client (NHC), or a Next Hop Peer (NHP) is up or down. The severity level for these messages is set to critical.

NHRP resolution events. For example, when a spoke sends a resolution to a remote spoke, or when an NHRP resolution times out without receiving a response. The severity level for these messages is set to informational.

DMVPN cryptography events. For example, when a DMVPN socket entry changes from open to closed, or from closed to open. The severity level for these messages is set to notification.

NHRP error notifications. For example, when an NHRP registration or resolution event fails, when a system check event fails, or when an NHRP encapsulation error occurs. The severity level for these messages is set to errors.

DMVPN error notifications. For example, when the NET_ID value is not configured, or when an NHRP multicast replication failure occurs. The severity level is set to notification for the unconfigured NET_ID value message, and set to errors if an NHRP multicast replication failure occurs.

Rate limit set for NHRP packets on the interface is exceeded. This event occurs when the NHRP packets handled by the NHRP process exceeds the rate limit set on the interface. The severity level for this message is set to warning.

Interface State Control

The Interface State Control feature allows NHRP to control the state of the interface based on whether the tunnels on the interface are live. If NHRP detects that all NHSs configured on the interface are in the down state, NHRP can change the interface state to down. However, if NHRP detects that any one of the NHSs configured on the interface is up, then it can change the state of the interface to up.

When the NHRP changes the interface state, other Cisco IOS services can react to the state change, for example:

If the interface state changes, the generic routing and encapsulation (GRE) interface generates IF-MIB notifications (traps) that report a LinkUp or LinkDown message. The system uses these traps to monitor the connectivity to the DMVPN cloud.

If the interface state changes to down, the Cisco IOS backup interface feature can be initiated to allow the system to use another interface to provide an alternative path to the failed primary path.

If the interface state changes to down, the system generates an update that is sent to all dynamic routing protocols. This provides a failover mechanism for dynamic routing when the multipoint GRE (mGRE) interface is down.

If the interface state changes to down, the system clears any static routes that use the mGRE interface as the next hop. This provides a failover mechanism for routing when the mGRE interface is down.

The interface state control feature works on both point-to-point and mGRE interfaces.

Interface State Control Configuration Workflow

Figure 1 describes how the system behaves when the Interface State Control feature is initialized.

Figure 1 Interface State Control Configuration Initialization Workflow

The Interface State Control initialization works as follows:

1. The Interface State Control feature is enabled on the GRE interface with NHRP configured.

2. The system reevaluates the protocol state and changes the state to line up and protocol down if none of the configured NHSs is responding.

3. The line up state change initiates the NHRP registration process.

4. The NHRP registration process initiates the IPsec tunnel.

5. The IPsec tunnel initiation starts the IPsec and IKE tunnel negotiation process.

6. On successful completion of the tunnel negotiation process, the system sends an IPsec Session Up message.

7. The NHRP registration process receives the IPsec Session Up message.

8. The NHRP registration process reports the line up and protocol up state to the GRE interface.

9. The GRE interface state changes to line up and protocol up.

10. The system reports the GRE interface state change to Cisco IOS software.

11. The state change triggers Cisco IOS services, such as interface event notifications, syslog events, DHCP renew, IP route refresh and SNMP traps.

How to Configure Tunnel Health Monitoring and Recovery

The tunnel health monitoring and recovery features allow you to configure SNMP NHRP notifications and interface states. This section describes how to perform the following tasks:

Configuring Interfaces to Generate SNMP NHRP Notifications (required)

Configuring Interface State Control on an Interface (required)

Configuring Interfaces to Generate SNMP NHRP Notifications

You can configure an interface so that SNMP NHRP traps are generated for NHRP events. In addition you can configure the system to send the traps to particular trap receivers. To configure SNMP NHRP notifications on an interface, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. snmp-server community string rw

4. snmp-server enable traps nhrp nhs

5. snmp-server enable traps nhrp nhc

6. snmp-server enable traps nhrp nhp

7. snmp-server enable traps nhrp quota-exceeded

8. snmp-server host ip-address version snmpversion community-string

9. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

snmp-server community string rw

Example:

Router(config)# snmp-server community public rw

Configures the community access string to permit access to the SNMP.

Step 4 

snmp-server enable traps nhrp nhs

Example:

Router(config)# snmp-server enable traps nhrp nhc

Enables NHRP NHS notifications.

Step 5 

snmp-server enable traps nhrp nhc

Example:

Router(config)# snmp-server enable traps nhrp nhc

Enables NHRP NHC notifications.

Step 6 

snmp-server enable traps nhrp nhp

Example:

Router(config)# snmp-server enable traps nhrp nhc

Enables NHRP NHP notifications.

Step 7 

snmp-server enable traps nhrp quota-exceeded

Example:

Router(config)# snmp-server enable traps nhrp quota-exceeded

Enables notifications for when the rate limit set on the NHRP packets is exceeded on the interface.

Step 8 

snmp-server host ip-address version snmpversion community-string

Example:

Router(config)# snmp-server host 192.40.3.130 version 2c public

Specifies the recipient of an SNMP notification operation.

By default SNMP notifications are sent as traps.

All NHRP traps are sent to the notification receiver with the IP address 192.40.3.130 using the community string public.

Step 9 

end

Example:

Router(config)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Troubleshooting Tips

Use the debug snmp mib nhrp notif [detail] command to troubleshoot SNMP NHRP notifications.

Configuring Interface State Control on an Interface

The Interface State Control feature enables the system to control the state of an interface based on whether the DMVPN tunnels connected to the interface are live or not. To configure interface state control on an interface, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. if-state nhrp

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface tunnel 1

Configures an interface type and enters interface configuration mode.

Step 4 

if-state nhrp

Example:

Router(config-if)# if-state nhrp

Enables NHRP to control the state of the tunnel interface.

Step 5 

end

Example:

Router(config-if)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Configuration Examples for Tunnel Health Monitoring and Recovery

Example: Configuring SNMP NHRP Notifications

Example: Configuring Interface State Control

Example: Configuring SNMP NHRP Notifications

The following example shows how to configure SNMP NHRP notifications on a hub or spoke: 

Router(config)# snmp-server community public rw

Router(config)# snmp-server enable traps nhrp nhs

Router(config)# snmp-server enable traps nhrp nhc

Router(config)# snmp-server enable traps nhrp nhp

Router(config)# snmp-server enable traps nhrp quota-exceeded

Router(config)# snmp-server host 192.40.3.130 version 2c public

Example: Configuring Interface State Control

The following example shows how to configure the Interface State Control feature for a spoke: 

interface Tunnel 1

 ip address 10.5.1.2 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco

 ip nhrp map 10.5.1.98 10.1.1.98

 ip nhrp map 10.5.1.99 10.1.1.99

 ip nhrp map multicast 10.1.1.98

 ip nhrp map multicast 10.1.1.99

 ip nhrp network-id 1

 ip nhrp holdtime 90

 ip nhrp nhs 10.5.1.99

 ip nhrp nhs 10.5.1.98

 ip nhrp shortcut

 if-state nhrp

 tunnel source Ethernet0/0

 tunnel mode gre multipoint

 !

end

Additional References

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Dynamic Multipoint VPN information

The chapter "Dynamic Multipoint VPN (DMVPN)" in the Cisco IOS Security Configuration Guide: Secure Connectivity

IKE configuration tasks such as defining an IKE policy

The chapter "Configuring Internet Key Exchange for IPsec VPNs" in the Cisco IOS Security Configuration Guide: Secure Connectivity

IPsec configuration tasks

The chapter "Configuring Security for VPNs with IPsec" in the Cisco IOS Security Configuration Guide: Secure Connectivity

System messages

System Messages Guide


Standards

Standard
Title

None


MIBs

MIB
MIBs Link

CISCO-NHRP-EXT-MIB

NHRP-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 2332

NBMA Next Hop Resolution Protocol (NHRP)

RFC 2677

Definitions of Managed Objects for the NBMA Next Hop Resolution Protocol (NHRP)


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Tunnel Health Monitoring and Recovery

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for Tunnel Health Monitoring and Recovery

Feature Name
Releases
Feature Information

DMVPN—Tunnel Health Monitoring and Recovery

15.0(1)M

This feature provides support for SNMP NHRP notifications.

The following sections provide information about this feature:

NHRP Extension MIB

Configuring Interfaces to Generate SNMP NHRP Notifications

The following commands were introduced or modified: debug snmp mib nhrp notif, snmp-server enable traps nhrp, snmp-server host nhrp.

DMVPN—Tunnel Health Monitoring and Recovery (Interface Line Control)

15.0(1)M

This feature enables NHRP to control the state of the tunnel interface based on the health of the DMVPN tunnels.

The following sections provide information about this feature:

Interface State Control

Configuring Interface State Control on an Interface

The following command was introduced: if-state nhrp.

DMVPN—Tunnel Health Monitoring and Recovery (Syslog)

15.0(1)M

This feature enhances existing DMVPN syslog messages to provide additional syslog messages for NHRP for DMVPN events.

The following section provides information about this feature:

DMVPN Syslog Messages


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009-2010 Cisco Systems, Inc. All rights reserved.