Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2232
Views
0
Helpful
1
Replies

GRE Over Ipsec Tunnel Flapping Issue .

CSCO11910340
Level 1
Level 1

‎02-07-2013 09:48 PM - edited ‎03-04-2019 06:58 PM

Hi team ,

Problem Des:GRE over ipsec tunnel Flapping issue .

- intermittent BGP up->down->up over GRE/IPSec tunnel (BGP timers: 5s keepalive 15s holddown )

Jan 29 15:01:38.757 IST: %BGP-5-ADJCHANGE: neighbor 172.29.x.x Down BGP Notification sent Jan 29 15:01:45.897 IST: %BGP-5-ADJCHANGE: neighbor 172.29.x.x Up

- in the logs we can see that just before the BGP is down R3845 sends a DPD/R_U_THERE meessage which indicates that there was no VPN traffic in the tunnel for 10 seconds (isakmp keepalive 10 configured).

NOTE: From this moment no traffic will be sent out through the VPN tunnel until a DPD/R_U_THERE_ACK received from the other peer.

Jan 29 15:01:36.865 IST: ISAKMP:(0:91:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1

- router keeps sending aggressive DPDs

Jan 29 15:01:38.865 IST: ISAKMP:(0:91:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1 attempt 1 of 5 Jan 29 15:01:40.865 IST: ISAKMP:(0:91:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1 attempt 2 of 5 Jan 29 15:01:42.865 IST: ISAKMP:(0:91:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1 attempt 3 of 5 Jan 29 15:01:44.865 IST: ISAKMP:(0:91:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1 attempt 4 of 5

- after the fourth DPD message DPD/R_U_THERE_ACK is received

Jan 29 15:01:45.117 IST: ISAKMP:(0:91:SW:1): processing NOTIFY DPD/R_U_THERE_ACK protocol 1

- shortly after that BGP adjacency is back up again

Jan 29 15:01:45.897 IST: %BGP-5-ADJCHANGE: neighbor 172.29.x.xUp

- during normal operation, when there is no problem with the BGP adjacency, DPD/R_U_THERE probes are only sent from remote side (Dallas) which indicates that during the intermittent fail there is no traffic originating from Dallas.

Can u plz suggest me solution , GRE over IPSEC tunnel Flapping issue ?

Regards,

Danny

Labels:
0 Helpful
1 Reply 1

CSCO11910340
Level 1
Level 1

‎02-25-2013 11:05 PM

Dear Engineers ,

Thanks for reading this page .

Might be thier is issue in BGP holddown and keelpalive timers on both location .

Cisco Tac is configured Ip sla on A side and debug crypto for B side .

Main issue is When bgp went down Tunnel goes down !!

cisco Tac informed that their should be packet loss bet tunnel .

Even on B side we have configrued ip sla ,but unable track log in syslog server.

If you have any suggestion Please post the suggestion !!!

0 Helpful
Customers Also Viewed These Support Documents