1. Home
  2. Cisco Systems
  3. Problem with GRE tunnel not coming up

Problem with GRE tunnel not coming up

Hi,

I have a problem with one end of a GRE tunnel not comming up.

I have an IPSec LAN 2 LAN VPN between two sites. Site A, the VPN terminates on an ASA 5520. On site B it terminates on an ISR 3825 (RTRB). The IPSec VPN is up and works perfectly.

For various reasons I need the traffic between Site A and Site B to go via a 3825 router (RTRA) in Site A. So I created a GRE tunnel between the two routers. However, I'm having trouble with the tunnel interface on RTRA. At first it wouldn't come up. Then I assigned it (and the corresponding I/F in RTRB) an IP address - I had originally used ip unnumbered. After that, it came up.

After that I tried tightening up the crypto ACL for the IPSec tunnel. The tunnel I/F on RTRA went down again and won't come back up. I have put the ACLs back the way they were. However, the tunnel still won't come up on RTRA. Oh, the tunnel key and mss settings are just suggestions I tried after a Google search. Taking them off makes no difference.

Anyone have any ideas?

Topology =================== Site A Site B

+----+ +----------+ +---+ +----+ +----------+ |RTRA+--+10.4.0.253+--+ASA+-Internet-+RTRB+--+10.5.0.253| +----+ +----------+ +---+ +----+ +----------+

RTRA =================== interface Tunnel1 ip address 10.9.1.5 255.255.255.252 ip tcp adjust-mss 1436 keepalive 30 3 tunnel source Loopback1 tunnel destination 10.5.127.2 tunnel key 12345 end ! interface Loopback1 ip address 10.4.127.2 255.255.255.255 end

ip route 0.0.0.0 0.0.0.0 10.4.0.253 ip route 10.5.0.0 255.255.0.0 Tunnel1 ip route 10.5.127.2 255.255.255.255 10.4.0.253

RTRB =================== interface Tunnel0 description GRE Tunnel to RouterA ip address 10.9.1.6 255.255.255.252 ip tcp adjust-mss 1436 tunnel source Loopback1 tunnel destination 10.4.127.2 tunnel key 12345 end ! interface Loopback1 ip address 10.5.127.2 255.255.255.255 end

ip route 0.0.0.0 0.0.0.0 x.x.x.x ip route 10.0.0.0 255.0.0.0 Tunnel0 ip route 10.4.127.2 255.255.255.255 x.x.x.x ip route 10.5.0.0 255.255.0.0 10.5.0.253

RTRA#show int tu1 Tunnel1 is up, line protocol is down Hardware is Tunnel Internet address is 10.9.1.5/30 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (30 sec), retries 3 Tunnel source 10.4.127.2 (Loopback1), destination 10.5.127.2 Tunnel protocol/transport GRE/IP, key 0x3039, sequencing disabled Tunnel TTL 255 Checksumming of packets disabled, fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 01:13:24, output 00:00:15, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5306 packets input, 637764 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 3742 packets output, 511936 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out RTRA#ping Protocol [ip]: Target IP address: 10.5.127.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.4.127.2 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.5.127.2, timeout is 2 seconds: Packet sent with a source address of 10.4.127.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 408/408/408 ms RTRA#show ver Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version

12.3(11)T7, RELEASE SOFTWARE (fc3) Technical Support:
formatting link
(c) 1986-2005 by Cisco Systems, Inc. Compiled Sat 30-Jul-05 00:02 by dchih

ROM: System Bootstrap, Version 12.3(11r)T1, RELEASE SOFTWARE (fc1)

RTRA uptime is 5 weeks, 6 days, 9 hours, 13 minutes System returned to ROM by power-on System restarted at 07:19:18 AWDT Mon Dec 10 2007 System image file is "flash:c3825-advipservicesk9-mz.123-11.T7.bin"

RTRB#show int tu0 Tunnel0 is up, line protocol is up Hardware is Tunnel Description: GRE Tunnel to RouterA Internet address is 10.9.1.6/30 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.5.127.2 (Loopback1), destination 10.4.127.2 Tunnel protocol/transport GRE/IP Key 0x3039, sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 01:11:12, output 00:01:47, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 1 packets/sec 3524 packets input, 497828 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5272 packets output, 635122 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out RTRB#ping Protocol [ip]: Target IP address: 10.4.127.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.5.127.2 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.127.2, timeout is 2 seconds: Packet sent with a source address of 10.5.127.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 408/408/412 ms RTRB#show ver Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version

12.4(11)T4, RELEASE SOFTWARE (fc3) Technical Support:
formatting link
(c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 26-Oct-07 22:26 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RTRB uptime is 1 week, 4 days, 11 hours, 44 minutes System returned to ROM by power-on System restarted at 16:44:35 UTC Tue Jan 8 2008 System image file is "flash:c3825-advipservicesk9-mz.124-11.T4.bin"

Reply to
DC
Loading thread data ...

I have the exact same issue believe it or not. I am going to open up a case with TAC tomorrow. Have you had any resolution on this? I am able to get the tunnel to come up on some routers but not on all.

Reply to
Greg

Greg said the following on 22/01/2008 11:23 AM:

Nope, I haven't. Please post any resolution you find here.

Cheers.

Reply to
DC

.

You seem to have keepalives set on one tunnel (RTRA) but not the other (RTRB) You need to either remove keepalives on RTRA's Tunnel1, or add them with the same configuration on RTRB's Tunnel0.

Also, the other common reason for a tunnel not showing as up is that either the tunnel source is unspecified (or invalid) or that the destination address is not in the routing table (or is routed to null0). However you seem to have covered this off with your pings, so I'd be looking at the keepalives first & foremost.

HTH.

Reply to
Al

My problem was I was trying to build this tunnel within a VRF. The code I was running does not allow this to happen.

Reply to
Greg

Al said the following on 24/01/2008 5:04 AM:

Doh! How did I miss that.

Thanks.

Reply to
DC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.