Solved: I resolve this issue using - Page 2

santipongv · ‎01-23-2008

I have 7 remote locations connect to our main site through IPSec VPN. I also have GRE tunnel established between remote locations and our main site. EIGRP neighbor is established through GRE tunnel. Lately, EIGRP neighbors have been flapping more frequent. Internet service did not go down at the remote sites when EIGRP flapped. Any thoughts of what might be causing this problem?

Jan 22 13:59:30.489: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.81 (Tunnel7) is down: holding time expired

Jan 22 13:59:31.081: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.73 (Tunnel6) is down: holding time expired

Jan 22 13:59:31.369: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.57 (Tunnel2) is down: holding time expired

Jan 22 13:59:32.565: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.65 (Tunnel4) is down: Interface Goodbye received

Jan 22 13:59:33.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.25 (Tunnel1) is down: holding time expired

Jan 22 13:59:33.986: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.85 (Tunnel8) is down: Interface Goodbye received

Jan 22 13:59:34.142: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 192.168.62.45 (Tunnel3) is down: holding time

Thank you.

santipongv · ‎01-25-2008

Rick,

Would you like me to try adding the following statement on Hub router?

ip route 192.168.62.32 255.255.255.255 192.168.62.57

192.168.62.32 - Loopback2 R1-VPN

192.168.62.57 - Tunnel2 R1-VPN

Regards,

Santi

Richard Burts · ‎01-25-2008

Santi

NO. I would not like to have a static route which indicates that the tunnel destination is reached by going through the tunnel. If you do a static route it should indicate the next hop as the physical interface next hop that it will take on its way out to the other router.

HTH

Rick

HTH

Rick

santipongv · ‎01-25-2008

Rick,

You mean a static route to Loopback2 interface of R1-VPN via a physical next hop IP address, correct? I will try and will observe the result.

Regards,

Santi

Richard Burts · ‎01-25-2008

Santi

Yes that is what I mean. If you do a static route on the Hub, then it should be for the loopback 2 (tunnel destination as specified on Hub) and should have its next hop as some physical interface from Hub.

HTH

Rick

HTH

Rick

santipongv · ‎01-25-2008

Rick,

I will let you know the result. Thank you.

Regards,

Santi

santipongv · ‎01-28-2008

Rick,

I looked at the configurations again. There is in fact a static route statement for Loopback 2 (Tunnel destinatin as specified on Hub) on the IPSed Hub router sitting in front of this GRE Hub router.

Internet router <=> Firewall <=> IPSec Hub router <=> Firewall <=> GRE Hub router <=> Internal network

Will this make a difference?

Regards,

Santi

Richard Burts · ‎01-28-2008

Santi

In terms of what we have been talking about I do not think that a static route on another router would make a difference. The fundamental question is about the router that terminates the GRE tunnel and what route it would use to reach the tunnel destination. If the router is learning the tunnel destination address via EIGRP and if it selects the EIGRP route through the tunnel as the best way to reach the tunnel destination then it leads to the recursion problem. The router needs some route that it will prefer to the EIGRP route. A static route on the next router does not help this issue.

HTH

Rick

HTH

Rick

santipongv · ‎01-28-2008

Rick,

Why is it that some of the eigrp neighbors through GRE tunnels are more stable than others (If there are no static routes to Loopback for those GRE tunnel destinations from the GRE Hub router)?

Regards,

Santi

santipongv · ‎01-29-2008

Rick,

I added the suggested static route on the GRE Hub router, EIGRP appears to be more stable. Thank you for your advice.

Regards,

Santi

Richard Burts · ‎01-29-2008

Santi

This has been an interesting discussion and I am glad that my responses have been helpful.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

santipongv · ‎01-29-2008

Rick,

Yes, it has indeed. I couldn't agree with you more aobut the discussion forum. I learn a lot from this forum. I will continue to participate in the forum. Thank you!

Regards,

Santi

FrankCisco049 · ‎06-02-2016

I resolve this issue using the command neighbor in bought locations.

I dont use IP sec, but Im sure that is no a security problem.

EIGRP by default uses multicast for neighbor discovery but it also allows you to configure EIGRP neighbors statically. Once you do this, EIGRP will only use unicast and disables EIGRP multicast on the selected interface.

This is my config.

Current configuration : 295 bytes
!
interface Tunnel1
bandwidth 100000
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip hold-time eigrp 500 35
no ip next-hop-self eigrp 500
ip tcp adjust-mss 1360
no ip split-horizon eigrp 500
tunnel source FastEthernet0/0
tunnel destination 172.16.4.2
tunnel path-mtu-discovery
end

R3#show run | sec router eig
R3#show run | sec router eigrp
router eigrp 500
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
neighbor 172.16.1.2 Tunnel1
R3#

Building configuration...

Current configuration : 295 bytes
!
interface Tunnel1
bandwidth 100000
ip address 172.16.1.2 255.255.255.0
ip mtu 1400
ip hold-time eigrp 500 35
no ip next-hop-self eigrp 500
ip tcp adjust-mss 1360
no ip split-horizon eigrp 500
tunnel source FastEthernet0/0
tunnel destination 172.16.3.2
tunnel path-mtu-discovery
end

R4#show run | sec router eigrp
router eigrp 500
network 172.16.1.0 0.0.0.255
network 192.168.2.0
no auto-summary
neighbor 172.16.1.1 Tunnel1
R4#

EIGRP neighbors flapping through GRE tunnel