GRE tunnel auto down

Sudqi · ‎07-26-2023

please note that I confgure VTI and keep alive but the tunnel doesn't go down automaticly,

interface Tunnel29
ip mtu 1400
keepalive 10 3
tunnel mode ipsec ipv4

tunnel protection ipsec profile TNB-BKP_Prof

any advise!

thanks

MHM Cisco World · ‎07-26-2023

Did you config tunnel source and destiantion?

Sudqi · ‎07-26-2023

yes sure, below is all conf

interface Tunnel29
ip address 10.10.10.1 255.255.255.252
ip mtu 1400
ip access-group NEW-ACL_BK in
ntp disable
keepalive 10 3
tunnel source 192.168.1.1
tunnel destination 192.168.1.2
end

MHM Cisco World · ‎07-26-2023

I check keepalive work for GRE tunnel, here you run mode IPsec so it not work

Sudqi · ‎07-26-2023

yes it will work, but what is solution if I want mode IPsec, is there any other method to detect the tunnel?

MHM Cisco World · ‎07-26-2023

Hmm'

solution is using track ip sla and eem' the eem check track status down and action will be shut the tunnel.

Also isakmp already have keepalive whcih I think it also effect tunnel status.(this if you want i can check by lab)

Sudqi · ‎07-26-2023

I want to keep the ip sla solution last choice, so I am searching how to use the keepalive feature

I found deep detiction feature under the crypto ikev2 profile, but also did not work,

thank you MHM, appreciated

MHM Cisco World · ‎07-26-2023

Friend you are so so welcome

Have a nice summer

MHM

Joseph W. Doherty · ‎07-27-2023

BTW, I recall @MHM Cisco World is correct. I.e. interface keep-alive works on ordinary GRE tunnel, but not on some/all others.

M02@rt37 · ‎07-26-2023

hello @Sudqi,

is that the full GRE tunnel config ?

https://study-ccnp.com/site-to-site-virtual-tunnel-interface-vti-over-ipsec/

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Sudqi · ‎07-26-2023

no, below is the full:

interface Tunnel29
ip address 10.10.10.1 255.255.255.252
ip mtu 1400
ip access-group NEW-ACL_BK in
ntp disable
keepalive 10 3
tunnel source 192.168.1.1
tunnel destination 192.168.1.2
end

Sudqi · ‎07-29-2023

Hi,

the VTI configuration was successful, but the idea here is that I want the GRE to become auto-down when the peer is dead, unfortunately, keepalive does not work,

paul driver · ‎07-30-2023

Hello
My understanding using keepalives on a ipse/gre tunnel at both ends wont work due to the way the the keepalives are still encrypted as they reach the physical interface and forwarded on to the tunnel interface, using an additional monitoring feature such IPSA would be an alternative for establishing the state of the tunnels.

review here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Sudqi · ‎07-31-2023

Thanks Paul,

yes, it doesn't work, I will do IP SLA