Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1845
Views
0
Helpful
3
Replies

GRE tunnel IP's dont ping even though Tunnel source and destination are reachable

starbearer
Level 1
Level 1

‎06-17-2013 05:56 AM - edited ‎03-04-2019 08:13 PM

Hello All,

I'm trying to setup OSPF over internet IPSEC VPN's. The IPSEC is established without any problems. The GRE tunnel however, doesnt ping from one side to the other. Here are the configs

R1

interface Tunnel150

  bandwidth 12000

ip address 172.27.150.161 255.255.255.252

ip ospf network broadcast

ip ospf cost 150

ip ospf mtu-ignore

tunnel source 10.200.55.2

tunnel mode ipip

tunnel destination 10.150.200.2

end

R1#ping 10.150.200.2 so 10.200.55.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.150.200.2, timeout is 2 seconds:

Packet sent with a source address of 10.200.55.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 160/160/160 ms

R1#ping 172.27.150.162 so 172.27.150.161

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.27.150.162, timeout is 2 seconds:

Packet sent with a source address of 172.27.150.161

.....

Success rate is 0 percent (0/5)

Here it is from R2:

interface Tunnel55

bandwidth 12000

ip address 172.27.150.162 255.255.255.252

ip ospf network broadcast

ip ospf cost 150

tunnel source 10.150.200.2

tunnel mode ipip

tunnel destination 10.200.55.2

end

R2#ping 10.200.55.2 so 10.150.200.4 (10.150.200.2 is the virtual IP. Tried setting the physical IP on the tunnel too, without luck)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.200.55.2, timeout is 2 seconds:

Packet sent with a source address of 10.150.200.4

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 158/158/160 ms

R2#ping 172.27.150.161 so 172.27.150.162

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.27.150.161, timeout is 2 seconds:

Packet sent with a source address of 172.27.150.162

.....

Success rate is 0 percent (0/5)

Because of this the OSPF never comes up

10.150.200.2      1   INIT/DROTHER    00:00:39    172.27.150.162  Tunnel150

What could be wrong? I'm at my wits end and my whole team has mostly given up on this. Please help.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎06-17-2013 02:12 PM

Your description indicates that you are trying to do IPSec with GRE tunnels. I see that the tunnel mode is ipip and not GRE. I wonder what would happen if you made the tunnel into GRE.

It is also possible that the problem has to do with how IPSec was configured or with something configured on the physical interface such as access list. Perhaps you can post a more complete version of the config and we might be able to give you a better answer.

HTH

Rick

HTH

Rick
0 Helpful

starbearer
Level 1
Level 1
In response to Richard Burts

‎06-17-2013 08:22 PM

Hi, Thanks for replying back.

The topology is as below:

R1 ---------------------------------- ASA1 ----- Internet ------ ASA2---------------- R2

    ^                                                                                                              ^

10.200.55.2                                                                                               10.150.200.2

The 10.200.55.2 is the IP address of the R1 interface connected to the ASA1

Similarly, 10.150.200.2 is the IP address of the R2 interface connected to the ASA2

ASA1 to ASA2 have the IPSEC tunnel. R1 to R2 is the GRE. I can ping from 10.200.55.2 to 10.150.200.2 only because the IPSEC is up.

I changed the tunnel mode to GRE but its still the same. I changed the tunnel IP's to .9 and .10

R1

interface Tunnel150

bandwidth 12000

ip address 172.27.150.9 255.255.255.252

ip mtu 1400

ip ospf network broadcast

ip ospf cost 150

tunnel source 10.200.55.2

tunnel destination 10.150.200.2

end

R2

interface Tunnel55

bandwidth 12000

ip address 172.27.150.10 255.255.255.252

ip mtu 1400

ip ospf network broadcast

ip ospf cost 150

tunnel source 10.150.200.2

tunnel destination 10.200.55.2

end

R1#ping 172.27.150.10 so 172.27.150.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.27.150.10, timeout is 2 seconds:

Packet sent with a source address of 172.27.150.9

.....

Success rate is 0 percent (0/5)

172.27.150.9 cant ping 172.27.150.10 and the OSPF never comes up

Whats interesting is that on R1, I can see R2 in the OSPF neighbors

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.150.200.1      1   INIT/DROTHER    00:00:39    172.27.150.162   Tunnel150

But nothing about R2 in R1. So that means that R2's Hello's are reaching R1 but not the other way round.

Also, regarding your ACL question, there are no ACL's on the R1 router

R1#sh access-l

Standard IP access list 23

    10 permit 10.10.10.0, wildcard bits 0.0.0.7

Standard IP access list BGP_filter_in

Standard IP access list BGP_filter_out

ACL 23 is the default one which the router ships with and is not being used on any interface. I can remove that if needed.

0 Helpful

Abzal
Level 7
Level 7
In response to starbearer

‎06-17-2013 10:11 PM

Hi,

Can you post output from both routers:

sh ip route 172.27.150.8

And IPSec configuration on both ASAs.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card