1. Home
  2. Cisco Systems
  3. GRE Tunnel up/up Cannot ping tunnel interface

GRE Tunnel up/up Cannot ping tunnel interface

I setup a GRE tunnel between two cisco 2621 routers. They are both running IOS c2600-advsecurityk9-mz.123-6c.bin. When I do a show ip int brief they both show up/up. I can ping the tunnel address the router is on but not the far end. This is true for both routers. I can also ping both the source and dest. of the tunnel from both routers. So I know that there shouldn't be any recurvise routing problems. I have looked all over the cisco site trying to find some troubleshooting information but, I don't see anything that applies. Any help would be appreciated.

Here is a copy of my configs:

Corp Router: interface Tunnel65 ip address 10.15.65.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 200.62.203.198 interface FastEthernet0/0 ip address 60.197.140.33 255.255.255.248 no ip mroute-cache duplex auto speed auto ip route 200.62.203.198 255.255.255.255 60.197.140.34

Dest. Router interface Tunnel65 ip address 10.15.65.65 255.255.255.0 tunnel source Dialer2 tunnel destination 60.197.140.33 interface Dialer2 ip address negotiated (Stays the same-Really a static) no ip redirects no ip unreachables ip mtu 1492 ip nat outside ip inspect to_internet out encapsulation ppp dialer pool 2 dialer-group 2 no cdp enable ppp authentication chap pap callin ppp pap sent-username *******@static.sbcglobal.net password 7

************************* ip route 60.197.140.33 255.255.255.255 dialer2

Thanks, Travis

Reply to
tsvanduyn
Loading thread data ...

By default, a tunnel will stay up as long as there is route entry to reach destination of the tunnel. If you would like tunnel to actually reflect its operational capability you can enable 'keepalive' command in interface tunnel configuration.

[...]

^^^^ the problem is here - this address is not known at the time when Tunnel interface is created or lost at during interface reset (unfortunatelly it won't be communicated back to the tunnel interface). I have just tried to reproduce this scenario and it was working as long as I had statically configured IP on the interface used as source for the tunnel. As soon as I reconfigured it to be 'ip addr nego' and got interface reset, and 'sh int tun0' displays that source address is 0.0.0.0. And I can ping destination of the tunnel, but tunnel is down (because I enabled keepalive). As soon as I change ip of the wan interface back to static tunnel comes up.

So my suggestion to you would be to have some static IP as source of the tunnel. I always try to use loopback as source of a tunnel interface.

I've put some output here -

formatting link
- so that you can compare it with what you're seeing.

Hope it helps.

Kind regards, iLya

Reply to
Charlie Root

Ilya,

Thank you very much for you reply. I added the keepalives to both router configs and now they are reporting tunnel is up/down. Which makes sense because I cannot ping the far end of the tunnel interfaces. Your explaination about the ip add negociated also makes sense but, the static address I get from my provider is only issued with the ip address negotiated command. Is there a way around this? Have you ever setup GRE tunnels with nhrp? I read that that kind of setup would support negotiated addresses. Again, thank you for all your input.

Travis

Reply to
tsvanduyn

Ilya,

Thank you very much for you reply. I added the keepalives to both router configs and now they are reporting tunnel is up/down. Which makes sense because I cannot ping the far end of the tunnel interfaces. Your explaination about the ip add negociated also makes sense but, the static address I get from my provider is only issued with the ip address negotiated command. Is there a way around this? Have you ever setup GRE tunnels with nhrp? I read that that kind of setup would support negotiated addresses. Again, thank you for all your input.

Travis

Reply to
tsvanduyn

If this is the address you always get, perhaps you could configure it statically?

I've just briefly looked at GRE and NHRP setups and they always seem to be used in NMBA fashion. I don't do many tunnels as we basically setup either MPLS VPN for a customer or IPSec terminated in MPLS VPN, or if there are tunnels for multiple VPN access they sourced from loopback interfaces, so I can't comment on applicability of NHRP in your case. One practical solution I could suggest is to configure your central router as IPSec concentrator and use Easy-VPN on the remote routers.

Kind regards, iLya

Reply to
Charlie Root

try tunnel mode ipip

Reply to
Alex

It turned out that my router ACL was blocking me. I have a Internet Router that goes to a Checkpoint FW and the router I am configuring was off of that router. I had everything right for the Checkpoint but, I missed an ACL line on the Internet Router which was breaking me.

I was able to get the tunnels up and working but, when I added IPsec I did not get the expected EIGRP routing updates. It seems to be set correctly because when I set it up with static routes I am able to ping and get everywhere that I expected, just no routing updates. I followed a the guide on Cisco's website: GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration.

I also still want to try the NHRP template stuff and I will try the "tunnel mode ipip" command but, I don't understand why I can't get dynamic routing updates through my GRE/IPsec tunnel. Any ideas?

Thanks, Travis

Reply to
tsvanduyn

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.