Idea Details

DMVPN Monitoring in Spectrum 9.4

Last activity 06-13-2019 10:14 AM
Support Team ENTIIS TH's profile image
10-09-2014 04:53 AM

We are facing an issue with the customer, our customer had used DMVPN technology for connection from the Head-End Router to the Branch Router, After we discovered our customer network thru Spectrum 9.4, it shown the incorrect topology. We opened this issue with CA Support, but CA Support told us Spectrum 9.4 don't support the DMVPN technolgy yet, we have to creat manually  the link connection for Branch Router. Hopefully, CA Spectrum will be developed to support DMVPN in the next version.

 

 

Thank

Chamnan

66819269311


Comments

03-16-2019 08:44 AM

The doc is completely lacking on what needs to be done to make this work.  What all need to be done in the VPN manager to discover this correctly?

 

I found someone mentioning removing the tunnel interface exclusion from the VPN manager. I have done that and re-ran vpn discovery with no luck. Do I need to remove all my dmvpn routers and rediscover them again?

02-11-2019 01:13 AM

Feature is delivered as part of Spectrum 10.3.1 GA.

05-03-2018 05:22 PM

I've run into the same issues, and we're at Spectrum 10.2.3 without anything close to DMVPN support. Even the Cisco NHRP MIB doesn't come preinstalled.

 

I'd imagine that since the MIB contains registration and disconnection traps, including the NBMA and tunnel addresses as variables, that Spectrum could perform all the correlations for whether a link is up or down to a shared media model without all these exhausting workarounds.

 

I hope that they'll give this idea some consideration since NHRP has been around for nearly 20 years and still going strong.

03-10-2016 03:40 AM

I have not heard an update on this and it has been a really long time.. we are now at spectrum 10.1 and still not dmvpn support.

07-01-2015 12:53 PM

Thank you for submitting this idea for CA Spectrum. The product team is reviewing / researching this idea. Community members, if you agree that this is a good idea please feel free to vote. Also please feel free to provide additional input using comments.

 

Thanks,

Nagesh

06-15-2015 03:52 PM

My account can really use this. we have over 550 sites and will be over 1000 by year end.

 

I am afraid this is going to cause a performance issue with the tool because it is using a wide area model and not a shared media link.

 

I know we are not the only customer using this technology either. This type of connectivity is very critical to our accounts need.

05-22-2015 08:15 AM


Hello,

DMVPN is not supported yet in Spectrum, however there are other means to monitor this as a work around. I work for one of the retail chains and we have multiple store locations, where core routers have two tunnels and one 4g connections, in our case we have WA_Segments for 2 tunnels and 4g connections over T1 with MPLS cloud.

 

We also had the same issue where WA_Segments creating false positive alerts, due to inbuilt Fault Isolation WA_Segments and tunnel ports both were creating alerts, so we changed that configuration to alerts only on ports. On WA_Segment change the LinkFaultDisposition (0x129e2) to ports only. We have created GC and policy to handle this attribute change dynamically as we have auto discovery running every night.

 

2nd thing we are doing is configuring all the core routers with NHRP (Next Hop Resolution protocol) NHRP - Cisco to check the health of the DMVPN. We are running Spectreum 9.4.2.1 but its lacking the MIBs for Cisco NHRP. I have loaded the MIBs from CISCO and it does provide SNMP trap notification when server and/or client and/or peer is down. It also provides RateLimitExceeded alert in case NHRP entities has been very frequently reaching the threshold on the rate of NHRP messages exchanged in an NBMA network. Here is the link to download the NHRP MIBs.

Cisco SNMP Object Navigator

 

3rd thing I am in a process is to monitor EIGRP on tunnel ports. In our case even tho the tunnels are up and clould link is up, in some cases EIGRP sees less than 2 established connections. I am in a process to find out the MIB that represent the integer value for this and if it works, solution would be to create Spectro watch (I hate it tho, as it will have much overload on spectro server from performance perspective).

 

HTH,

C

 

11-20-2014 06:48 AM

Hi:  I've seen this error at a customer who rolled out Cisco PfR, which uses DMVPN.  The workaround is easy, only needs to be done once, but is tedious.  Delete the objects created and re-discover without connections.  Then manually connect the edge devices - it stops Spectrum from classifying the links as WA.  You *probably* could do this using an en-mass attribute edit, but I haven't tried it.

This stops Spectrum from creating the error alarms.

In my customer's experience the Dynamic Multi-point VPN tunnels are actually very stable - they stay up for weeks at a time.  However, sometimes they stop forwarding traffic (L3 fails) so they become black holes.

In my customer's architecture he's using BGP to provide routing between the DCs and the DMVPN sites, so there is a TCP-based BGP-peering connection running through the tunnel, with a Peer keep-alive every 60s.  When a tunnel becomes a black-hole, the BGP peering fails (60s + TCP timeout, usually about 105s) and then the nearside BGP peer sends a trap to Spectrum alerting that a BGP peer has been lost.  I set up a simple set of rules to respond to BGP peering traps so this error produces an Event in Spectrum that creates an alarm that shows which tunnel has failed - tunnel is reset, BGP peering is re-established and all is well.

Beauty of the BGP peering monitoring is that it's free (no watches to set up, no IP-SLA to set up) once the devices send traps to Spectrum, and secondly the monitoring is about the right timescale: 105s maximum before Spectrum raises an alarm.

You could use almost any other L3-traffic monitoring approach to monitor the tunnels - BGP happened to be convenient in this case.

It is true that if you ask CA Support 'Does Spectrum support DMVPN' then you will receive the correct answer, 'No it doesn't'.  However, in some DMVPN solutions the tunnels are anything *but* Dyanmic - actually very static.  If the tunnels are created and destroyed within 10-300 seconds, this will be much more difficult.

Hope that helps.

10-09-2014 07:27 PM

I am not familiar with DMVPN technology, but what I understood about this issue is that Spectrum discovery creates more than 3 connections into one WA_Link model. The WA_Segment model inside the WA_Link model has the following minor alarm:

 

"THREE OR MORE DEVICES CONNECTED BY WA_SEGMENT"

 

Symptoms : SpectroSERVER may exhibit unpredictable behavior and instability.

Probable Cause : The modeling scenario contains a Wide Area Link with a Wide Area Segment that is connecting more than 2 devices. Even though Spectrum allows such an association, this is not the intention of the design of the Wide Area Segment.

Actions : Replace the Wide Area Link and Wide Area Segment models with a Fanout model. The Fanout model is designed for this task and will not cause instability in the SpectroSERVER.

 

I agree Spectrum should handle the WA_Link and connections modeling better in this case.