Ticket#9 – WAN Flap Detection: DMVPN Phase 2 Tunnel Up/Down Issue Fixed [CCNP Enterprise]

Ticket#9 - WAN Flap Detection: DMVPN Phase 2 Tunnel Up/Down Issue Fixed [CCNP Enterprise]
Post Views: 5

Problem Summary

The enterprise monitoring tool detected flapping tunnels between remote branch routers and the HQ hub.
Ticket Priority: High
Issue: DMVPN Phase 2 Tunnel intermittently goes UP/DOWN, causing loss of reachability to HQ and apps like VoIP.

Symptoms Observed

SymptomDescription
Tunnel state flappingTunnel interface repeatedly transitions between UP and DOWN
Intermittent branch connectivityBranches report frequent packet loss or timeouts
Application dropsVoIP and file sharing apps become unstable
NHRP registration failureLogs show repeated NHRP resolution failures
Routing blackholesEIGRP routes are missing during flap

Root Cause Analysis

The DMVPN Phase 2 tunnels rely heavily on:

  • NHRP registration and resolution
  • IPsec stability
  • Routing convergence

Key Issues Found:

  • Incorrect tunnel keepalive settings
  • ISP jitter/delay causing GRE/IPsec timeout
  • NHRP entries expiring prematurely
  • EIGRP adjacency reset due to tunnel interface bouncing

The Fix

To resolve the issue:

  1. Verified MTU/MSS values to avoid fragmentation.
  2. Increased tunnel keepalive values to handle ISP-induced delay.
  3. Adjusted NHRP hold and registration timers for better resilience.
  4. Confirmed EIGRP hello/hold timers are in sync.
  5. Enabled logging and debugging to validate post-fix stability.

EVE-NG Lab Topology

IP Scheme:

DeviceTunnel InterfaceTunnel IPPhysical IPRole
R1Tunnel010.0.0.1192.0.2.1Hub
R2Tunnel010.0.0.2192.0.2.2Spoke
R3Tunnel010.0.0.3192.0.2.3Spoke

Basic Config Snippet (R1 Hub):

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel key 100
 ip mtu 1400
 ip tcp adjust-mss 1360

R2 Spoke:

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 192.0.2.1
 tunnel mode gre multipoint
 ip nhrp map 10.0.0.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp network-id 1
 tunnel key 100

Verification

Verification StepCommandExpected Output
Check Tunnel Statusshow ip int briefTunnel UP, Line Protocol UP
Check NHRP Entriesshow ip nhrpMappings for hub and spokes
Check EIGRP Neighborsshow ip eigrp neighborsStable neighbor relationships
Ping via Tunnelping 10.0.0.1 source tunnel0Success
Monitor Flap`show interface tunnel0include line protocol`

Key Takeaways

  • DMVPN is sensitive to transport layer instability.
  • Always tune NHRP and routing timers carefully.
  • Tunnel MTU and MSS must align with encryption overhead.
  • Logging and debugging are your best friends.
  • Phase 2 relies on direct spoke-to-spoke reachability.

Best Practices and Design Tips

  • Use Phase 3 DMVPN where feasible to improve routing scalability.
  • Configure tunnel protection ipsec profile properly to avoid unnecessary drops.
  • Keep tunnel key and network-id consistent across devices.
  • Enable tunnel keepalives (recommended: 10 sec/3 retries).
  • Monitor with IP SLA and SNMP for proactive detection.
  • Don’t rely solely on show commands—packet capture and debugs help!

FAQs

1. Why does DMVPN tunnel flap in Phase 2?

Answer:
Flapping can occur due to GRE/IPsec instability, NHRP registration failures, or physical transport issues (like WAN jitter).

2. What is the role of NHRP in DMVPN Phase 2?

Answer:
NHRP dynamically maps tunnel IPs to public IPs, allowing spokes to learn how to reach each other directly without going through the hub.

3. How can I check if my NHRP mappings are correct?

Answer:
Use:

show ip nhrp

Ensure all expected mappings are present with correct public IPs.

4. How do tunnel keepalives help in troubleshooting?

Answer:
Keepalives detect if the remote endpoint is still responsive and can bring the tunnel down gracefully if not.

5. What if EIGRP adjacencies keep resetting?

Answer:
Check tunnel flaps and MTU mismatch. Use show ip eigrp neighbor detail for timer-related resets.

6. How do I reduce fragmentation in DMVPN tunnels?

Answer:

  • Set MTU to 1400
  • Adjust TCP MSS to 1360
    This compensates for IPsec and GRE header overhead.

7. What causes NHRP registration to fail?

Answer:
Incorrect tunnel config, IPsec negotiation failure, or mismatched tunnel key/network ID.

8. Can Phase 2 allow spoke-to-spoke traffic?

Answer:
Yes. Phase 2 allows direct spoke communication using NHRP redirection and shortcut.

9. When should I move to Phase 3?

Answer:

  • Large network size
  • Dynamic routing scalability
  • Reducing hub bottleneck

10. What debugs are helpful in DMVPN tunnel issues?

Answer:
Use:

  • debug nhrp
  • debug tunnel
  • debug crypto isakmp
  • debug crypto ipsec

11. What if my tunnel is UP but traffic fails?

Answer:

  • Verify IPsec is up
  • Check access-lists or firewalls
  • Confirm routing table entries

12. How to simulate this in EVE-NG?

Answer:
Use CSR1000v or IOU images. Ensure they support GRE/IPsec/NHRP.

13. Is it necessary to configure IPsec in DMVPN?

Answer:
Yes, especially in real-world or exam environments. DMVPN without IPsec lacks confidentiality.

14. Does DMVPN work with dual ISPs?

Answer:
Yes, but you’ll need dual tunnel sources and careful NHRP/public IP handling.

15. How to monitor DMVPN health long-term?

Answer:

  • show ip nhrp
  • show dmvpn
  • Syslog traps and SNMP
  • NetFlow for tunnel usage

YouTube Link

Watch the Complete CCNP Enterprise: WAN Flap Detection: DMVPN Phase 2 Tunnel Up/Down Issue Fixed Demo & Explanation on our channel:

Class 1 CCNP Enterprise Course and Lab Introduction | FULL COURSE 120+ HRS | Trained by Sagar Dhawan
Class 2 CCNP Enterprise: Packet Flow in Switch vs Router, Discussion on Control, Data and Management
Class 3 Discussion on Various Network Device Components
Class 4 Traditional Network Topology vs SD Access Simplified

Final Note

Understanding how to differentiate and implement WAN Flap Detection: DMVPN Phase 2 Tunnel Up/Down Issue Fixed is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.

If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:

CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!

Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.

Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

Upskill now and future-proof your networking career!

Related Posts

Troubleshooting STP Flapping: Fix Network Instability with Confidence [CCNP Enterprise]

Troubleshooting STP Flapping: Fix Network Instability with Confidence [CCNP Enterprise]

Posted on
control plane, data plane, difference between control and data plane, ccna vs ccnp planes, networking planes, routing vs forwarding, cisco control plane, sdwan control vs data, trainer sagar dhawan, network journey, plane architecture in networking, data plane example, show cef command, ospf troubleshooting, acl troubleshooting, network basics 2025

Control Plane vs Data Plane: What Every Network Engineer Must Know in 2025 [CCNP Enterprise]

Posted on
Mastering IP SLA in Cisco Networks: Setup, Configuration & Real-World Use Case [CCNP Enterprise]

Mastering IP SLA in Cisco Networks: Setup, Configuration & Real-World Use Case [CCNP Enterprise]

Posted on