01-14-2021 12:26 PM
Hi experts,
I have setup S2S VPN on my ISR router with peer in cloud.
Both ike and ipsec are up, in ipsec sa, I can see 0 packets getting encapsulated.
I have configured BGP with one of my loopback as neighbour on peer firewall.
And I can see the VPN ACL statement allowing loopback IP to activate bgp is getting hit.
That means router is trying to initiate bgp with neighbor on other side of VPN.
Need help in understanding why packets are not getting encapsulated.
01-14-2021 01:02 PM
Hello,
is the BGP connection up ? Post the config of your ISR (and if you have access to the cloud peer, that config as well)...
01-14-2021 06:42 PM
HI Georg,
The BGP is not coming up as I can see none of my packets are getting encapsulated, so the BGP initiation request from my side ISR is not getting into tunnel itself to reach neighbor.
Also at peer end, we have configured tunnel monitor for another loopback of ISR. I am able to see decapsulated packets count for that Ipsec SA.
01-14-2021 03:50 PM
1-BGP must use loopback as update source
2- IGP for the BGP neighbor establish must pass through the interface you config IPSec with it.
01-14-2021 06:48 PM
Yes, we have statement as source update loopback at both end.
The peer is Palo Alto in cloud and we do have similar configuration at that end.
But don't have access to run the packet capture there.
01-15-2021 12:08 AM
Hello,
at the very least post the configuration of your Cisco router, without seeing what you have configured, it remains guesswork. Do you have anyone available on the Palo Alto side to check the settings ?
01-15-2021 02:16 PM
The comment about ipsec tunnels not supporting routing protocols is true for protocols like EIGRP or OSPF that use multicast packets. But it does not apply to BGP which uses only unicast TCP packets.
I agree that it would be helpful if we saw the configuration on the Cisco side. I would also ask that the original poster give us the output of show crypto isakmp and of show crypto ipsec sa.
I have experienced the symptom of zero packets encapsulated for ipsec tunnel. Frequently it reflects a problem with address translation translating traffic that should not be translated, or a problem with routing logic that is not returning traffic through the tunnel.
01-14-2021 09:30 PM
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html
All we know that the IPSec not support routing protocol because of it is not support multicast
BUT
also and I am not 100% sure it also not support BGP.
so the solution is move to VTI,
we config VTI on both side and protect the traffic with IPSec and it easy can config BGP with this tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide