07-20-2019 03:24 AM
Hi.. currently i have been facing weird issue. I have two routers Router A in location X & Router B in location Y. GRE tunnel is established b/w two both over Crypto IPSec. I have been facing packet drops while pinging Router B tunnel IP from Router A and vice versa. But ping response of internet Wan IP from Router A to Router B and vice versa is clean.
Router B has other GRE tunnels to other locationsbut these are clean.
I am not sure whether i should approach ISP to check or if there is something which i need to check on routers.
07-20-2019 04:28 AM
Hello,
what are the MTU and TCP adjust-mss settings on your tunnels ? Typical values for GRE/IPSec tunnels are:
interface Tunnel0
ip mtu 1400
ip tcp adjust-mss 1360
You also might want to set 'tunnel path-mtu-discovery' on the tunnel interfaces.
That said, what router models do you have ? If there is heavy traffic, some routers have default COPP (Control Plane Policy) settings where ICMP is dropped, since it is considered less important...
07-20-2019 06:11 AM
Hi. Tunnel settings are same which you have mentioned, also path-discovery is set on tunnel. Router model is 2921.
If there is drop due to copp policy then it should observed while pining WAN IP across.
07-20-2019 07:17 AM
Hello Anulkap,
you can check the encryption / descryption activity using
show crypto ipsec sa
look for all counters related to the RA-RB IPSEc session and verify if there are any errors in packet decryption and if they are incrementing over time when your ping tests fail.
Hope to help
Giuseppe
07-20-2019 09:27 AM
There are things that we do not know about this environment which probably impact the answers that we might give. If I understand correctly this is a GRE tunnel with IPSEC. We do not know if this is a traditional IPSEC with a crypto map or is a VTI implementation. GRE with crypto map typically does not include the tunnel subnet as interesting traffic. In that case attempts to ping the tunnel remote address would not be encrypted and would not show up in show crypto ipsec sa. If this is VTI then attempts to ping the tunnel remote address would be encrypted and would show up in show crypto ipsec sa.
If the IPSEC seems to be running clean then I would not worry if some pings to the remote tunnel address are dropped.
HTH
Rick
07-21-2019 03:50 AM
Hi Richards / Giuseppe.. Thanks for your suggestion.. Its a Crypto IPSec GRE tunnel, where massive drops occurring and users facing issue while accessing applications.
07-21-2019 04:34 AM
Helllo,
post the full configurations of both sides, we might be able to spot something...
07-21-2019 05:46 AM
Thank you for the additional information. From the original post I understood the problem to be about issues to ping the remote tunnel address. I now understand that user access to remote resources is impacted and that certainly indicates that there is an issue to investigate. I agree that seeing the configs from both sides would be a good place to start.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide