I have a strange issue with simple GRE Tunnel. There is a Tunnel configured between Downstream and Headquarters. However, the tunnel is showing down even though all the configurations are in place. config details is as attached. We have confirmed that the tunnel desinations, tunnel source and the static route are all in place. One Strange thing we find is that while doing the debug for keepalives, the routers only seem to be sending keepalives, but does not seem to receive it. We have removed and applied back the tunnel config, reloaded the router. Any suggestions on this is highly appreciated. Thanks in advance
there is no bidirectional IP connectivity between the two ip addresses in use or some device in the middle like a firewall is filtering one side of communication.
try to perform an extended pin using the same ip addresses that are used as GRE endpoints
if this doesn't work the tunnel cannot come up.
By using the keepalive on GRE tunnel the tunnel state is conditioned on the correct sending and receiving of GRE keepalives.
Be aware that this a feature that was added later to IOS so it is also possible that one of the two devices is not able to send GRE keepalives correctly.
Perform the basic checks I suggested above.
Hope to help
I agree with Giuseppe that the most likely cause of the problem is that the GRE packets are not making it through to the other peer. I notice that each router has some number greater than zero in the packets sent but has zero in the packets received.
I also notice a mismatch in the configurations. On the downstream router you have the subnet mask as /24:
ip address 192.168.3.1 255.255.255.0
but on the headquarters router the mask is /30:
ip address 192.168.3.2 255.255.255.252
I am not sure that this would cause the problem that you are expecting, but it is something that should be cleaned up.
1. The Subnet Mask is not an issue. I noticed it earlier as well and changed to /24 both the ends. It still does not work.
2. The end to end ping test is a challenge because some ISP's dont allow ping/ tracert . I have a few other downstream sites in which the setup is working fine. But end to end ping still fails even though there is no access list configured at our end.
Are there any other debugs that can help us drive down still further. Thanks!
if you cannot test with ping and traceroute you cannot understand if there is a connectivity problem.
I would do the following:
disable GRE keepalive on both ends
assign a private ip address loopback on each side
ip address 10.0.0.14 255.255.255.255
from other router add a static route
ip route 10.0.0.14 255.255.255.255 tunnel X
do the same on the opposite node:
add a loopback here
from first node add a static route
Now you can ping from loopback to loopback traffic is encapsulated in GRE.
if you still cannot receive the ICMP packets with source and destination the loopbacks you can say that there is no connectivity.
Otherwise if there is one of the two routers donÃ¬t support GRE keepalive correctly
Hope to help
i'm finding about the same problem in a simplier enviroment (configs attached):
i have two routers (Tunnel-1 and Tunnel-2) connected through a third one (Center) and i'm trying to build a GRE tunnel from a loopback interface on Tunnel-1 to a loopback interface on Tunnel-2 (I already tried using physical interfaces).
static routes on the 3 routers make tunnel sources and destinations reachable each other.
Without configuring keepalives tunnel comes up but it's not working (tunnel interfaces don't ping each other and i cant ping for example interface Tunnel-1 GigabitEthernet0/1.1 from Tunnel-2)..
After Configuring Keepalives the tunnel goes down. i have the same Manoj's output debugging tunnel on both ends..
The routers are two Cisco 1841 and a 3825 with the latest Advanced Enterprise IOS..
any suggestions? thanks all
I have looked through your configs. One of the things that I notice is that there is a mismatch in the tunnel configuration about source and destination address. On tunnel-1 the tunnel destination is 192.168.253.253 but on tunnel-2 the source address is 192.168.200.200 where to be consistent with tunnel-1 I would expect 192.168.253.253.
I suggest that you revise the configs and make the source-destination match between the routers so that what one router configures as the destination is the source on the other router. Give this a try and let us know if it works better.