GRE Tunnel up/up Cannot ping tunnel interface
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by tsvanduyn@yahoo.com on March 6, 2006, 3:55 pm
Please log in for more thread options running IOS c2600-advsecurityk9-mz.123-6c.bin. When I do a show ip int brief they both show up/up. I can ping the tunnel address the router is on but not the far end. This is true for both routers. I can also ping both the source and dest. of the tunnel from both routers. So I know that there shouldn't be any recurvise routing problems. I have looked all over the cisco site trying to find some troubleshooting information but, I don't see anything that applies. Any help would be appreciated. Here is a copy of my configs: Corp Router: interface Tunnel65 ip address 10.15.65.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 200.62.203.198 interface FastEthernet0/0 ip address 60.197.140.33 255.255.255.248 no ip mroute-cache duplex auto speed auto ip route 200.62.203.198 255.255.255.255 60.197.140.34 Dest. Router interface Tunnel65 ip address 10.15.65.65 255.255.255.0 tunnel source Dialer2 tunnel destination 60.197.140.33 interface Dialer2 ip address negotiated (Stays the same-Really a static) no ip redirects no ip unreachables ip mtu 1492 ip nat outside ip inspect to_internet out encapsulation ppp dialer pool 2 dialer-group 2 no cdp enable ppp authentication chap pap callin ppp pap sent-username *******@static.sbcglobal.net password 7 ************************* ip route 60.197.140.33 255.255.255.255 dialer2 Thanks, Travis | |||||||||||||||||||
|
Posted by Charlie Root on March 6, 2006, 5:41 pm
Please log in for more thread options By default, a tunnel will stay up as long as there is route entry to reach destination of the tunnel. If you would like tunnel to actually reflect its operational capability you can enable 'keepalive' command in interface tunnel configuration. > is on but not the far end. This is true for both routers. I can also
[...]
> ping both the source and dest. of the tunnel from both routers. So I > know that there shouldn't be any recurvise routing problems. I have > looked all over the cisco site trying to find some troubleshooting > information but, I don't see anything that applies. Any help would be > appreciated. > > Here is a copy of my configs: > > interface Dialer2
^^^^
> ip address negotiated (Stays the same-Really a static) the problem is here - this address is not known at the time when Tunnel interface is created or lost at during interface reset (unfortunatelly it won't be communicated back to the tunnel interface). I have just tried to reproduce this scenario and it was working as long as I had statically configured IP on the interface used as source for the tunnel. As soon as I reconfigured it to be 'ip addr nego' and got interface reset, and 'sh int tun0' displays that source address is 0.0.0.0. And I can ping destination of the tunnel, but tunnel is down (because I enabled keepalive). As soon as I change ip of the wan interface back to static tunnel comes up. So my suggestion to you would be to have some static IP as source of the tunnel. I always try to use loopback as source of a tunnel interface. I've put some output here - http://citadel.nobulus.com/~ilya/notes/archives/000018.html - so that you can compare it with what you're seeing. Hope it helps. Kind regards, iLya | |||||||||||||||||||
|
Posted by tsvanduyn@yahoo.com on March 6, 2006, 6:31 pm
Please log in for more thread options Ilya,
Thank you very much for you reply. I added the keepalives to both router configs and now they are reporting tunnel is up/down. Which makes sense because I cannot ping the far end of the tunnel interfaces. Your explaination about the ip add negociated also makes sense but, the static address I get from my provider is only issued with the ip address negotiated command. Is there a way around this? Have you ever setup GRE tunnels with nhrp? I read that that kind of setup would support negotiated addresses. Again, thank you for all your input. Travis | |||||||||||||||||||
|
Posted by tsvanduyn@yahoo.com on March 6, 2006, 6:53 pm
Please log in for more thread options Ilya,
Thank you very much for you reply. I added the keepalives to both router configs and now they are reporting tunnel is up/down. Which makes sense because I cannot ping the far end of the tunnel interfaces. Your explaination about the ip add negociated also makes sense but, the static address I get from my provider is only issued with the ip address negotiated command. Is there a way around this? Have you ever setup GRE tunnels with nhrp? I read that that kind of setup would support negotiated addresses. Again, thank you for all your input. Travis | |||||||||||||||||||
|
Posted by Charlie Root on March 7, 2006, 5:40 am
Please log in for more thread options > Ilya,
> > Thank you very much for you reply. I added the keepalives to both > router configs and now they are reporting tunnel is up/down. Which > makes sense because I cannot ping the far end of the tunnel interfaces. > Your explaination about the ip add negociated also makes sense but, the > static address I get from my provider is only issued with the ip > address negotiated command. Is there a way around this? Have you If this is the address you always get, perhaps you could configure it statically? > ever setup GRE tunnels with nhrp? I read that that kind of setup would
I've just briefly looked at GRE and NHRP setups and they always seem to be
> support negotiated addresses. Again, thank you for all your input. > used in NMBA fashion. I don't do many tunnels as we basically setup either MPLS VPN for a customer or IPSec terminated in MPLS VPN, or if there are tunnels for multiple VPN access they sourced from loopback interfaces, so I can't comment on applicability of NHRP in your case. One practical solution I could suggest is to configure your central router as IPSec concentrator and use Easy-VPN on the remote routers. Kind regards, iLya | |||||||||||||||||||
| Similar Threads | Posted |
| GRE Tunnel up/up Cannot ping tunnel interface | March 6, 2006, 3:55 pm |
| Ping does not work inside the VPN tunnel | September 8, 2006, 5:48 pm |
| tunnel interface ip | September 14, 2005, 1:37 pm |
| Backup Interface using Tunnel | August 5, 2007, 1:37 pm |
| DECnet over GRE tunnel with serial interface | October 4, 2005, 11:33 pm |
| GRE, importance of IP address for tunnel interface | September 1, 2006, 11:48 am |
| GRE/IPSEC Tunnel and loopback interface | April 30, 2007, 7:01 am |
| cisco VPN ipsec tunnel virtual interface operation detail question | July 28, 2006, 2:57 pm |
| Virtual Tunnel Interface Flapping - Route Redistribution: static->RIP->OSPF | July 12, 2007, 2:44 pm |
| both Easy VPN Server and a Site-to-Site tunnel on the same interface? | January 21, 2008, 1:17 pm |
| VPN tunnel | July 25, 2005, 8:10 pm |
| GRE Tunnel - one way ? | September 30, 2005, 6:39 am |
| Best MTU value for our VPN tunnel | October 11, 2005, 10:39 pm |
| NAT-T + VPN Tunnel | November 6, 2005, 4:06 am |
| 515 & 501 VPN Tunnel Help | April 4, 2006, 12:47 pm |
> running IOS c2600-advsecurityk9-mz.123-6c.bin. When I do a show ip int
> brief they both show up/up. I can ping the tunnel address the router