Hi,

I've configure IPSEC GRE tunnel between two routers that running EIGRP protocol. At branch site, it will use port FA0/0 to access some particular servers (ex: 192.168.158.3 ...) in HQ using policy-based routing. For accessing other IP address will use Tunnel 0 interface to connect to HQ.

However, when we try to test the fail-over by shutdown the FA0/0 interface, the Tunnel 0 interface down after a few second, it cannot fail-over traffic to Tunnel 0, we lost all connectivity from branch to HQ.

    a. Branch:

• FA0/0: 200.1.1.1 /24
• FA0/1: 101.19.26.132 /29
• Vlan 1: 192.168.161.9 /24
• Tunnel 0: 30.1.1.2 /24

    b. HQ:

• FA0/0: 200.1.1.2 /24
• FA0/1: 118.125.101.148 /29
• Vlan 1: 192.168.158.253 /24
• Tunnel 0: 30.1.1.1 /24

Here is configuration on Branch router, when we do "show ip route", there is no EIGRP route display.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
clock timezone wst 8
ip cef
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key schaefer-key address 118.125.101.148
!
!
crypto ipsec transform-set schaefer-set ah-md5-hmac esp-3des
!
crypto map schaefermap 1 ipsec-isakmp
set peer 118.125.101.148
set transform-set schaefer-set
match address 100
!
!
!
interface Tunnel0
description Tunnel-to-HQ
ip address 30.1.1.2 255.255.255.0
ip tcp adjust-mss 1300
ip policy route-map clear-df
keepalive 10 3
tunnel source 101.19.26.132
tunnel destination 118.125.101.148
!
interface FastEthernet0/0
description Point-to-Point network
ip address 200.1.1.1 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
description WAN network
ip address 101.19.26.132 255.255.255.248
speed auto
full-duplex
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
description LAN network
ip address 192.168.161.9 255.255.255.0
ip policy route-map movex
!
router eigrp 100
redistribute static
network 30.1.1.0 0.0.0.255
network 172.19.4.0 0.0.3.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 101.19.26.131
ip route 30.1.1.0 255.255.255.0 Tunnel0 130
ip route 172.19.5.0 255.255.255.0 192.168.161.8
ip route 172.19.6.0 255.255.255.0 192.168.161.8
ip route 172.19.7.0 255.255.255.0 192.168.161.8
ip route 192.168.158.0 255.255.255.0 200.1.1.2
ip route 192.168.158.0 255.255.255.0 Tunnel0 130
ip route 192.168.160.0 255.255.255.0 192.168.161.8
!
no ip http server
no ip http secure-server
!

access-list 100 permit gre host 101.19.26.132 host 118.125.101.148
access-list 102 permit ip 192.168.161.0 0.0.0.255 192.168.158.0 0.0.0.255
access-list 102 permit ip 192.168.160.0 0.0.0.255 192.168.158.0 0.0.0.255
access-list 102 permit ip 172.19.4.0 0.0.3.255 192.168.158.0 0.0.0.255
access-list 103 permit ip 172.19.4.0 0.0.3.255 host 192.168.158.3
access-list 103 permit ip 172.19.4.0 0.0.3.255 host 192.168.158.4
access-list 103 permit ip 172.19.4.0 0.0.3.255 host 192.168.158.5
access-list 103 permit ip 172.19.4.0 0.0.3.255 host 192.168.158.9
access-list 103 permit ip 192.168.161.0 0.0.0.255 host 192.168.158.3
access-list 103 permit ip 192.168.161.0 0.0.0.255 host 192.168.158.4
access-list 103 permit ip 192.168.161.0 0.0.0.255 host 192.168.158.5
access-list 103 permit ip 192.168.161.0 0.0.0.255 host 192.168.158.9
access-list 103 permit ip 192.168.160.0 0.0.0.255 host 192.168.158.3
access-list 103 permit ip 192.168.160.0 0.0.0.255 host 192.168.158.4
access-list 103 permit ip 192.168.160.0 0.0.0.255 host 192.168.158.5
access-list 103 permit ip 192.168.160.0 0.0.0.255 host 192.168.158.9
access-list 111 permit tcp any any
access-list 111 permit udp any any

route-map clear-df permit 10
match ip address 111
set ip df 0
!
route-map movex permit 10
match ip address 103
set ip precedence critical
set ip next-hop 200.1.1.2
!
route-map movex permit 20
match ip address 102
set ip precedence priority
set ip next-hop 30.1.1.1
!
!

Here is HQ router configuration: when we do "show ip route", there is no EIGRP route display.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$JPO5$Wjnsdwett312KbEu/DPlGEK1
enable password 7 06034346D4F41
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
clock timezone wst 8
ip cef
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key schaefer-key address 101.19.26.132
!
!
crypto ipsec transform-set schaefer-set ah-md5-hmac esp-3des
!
crypto map schaefermap 1 ipsec-isakmp
set peer 101.19.26.132
set transform-set schaefer-set
match address 100
!
!
!
interface Tunnel0
description Tunnel-to-Branch
ip address 30.1.1.1 255.255.255.0
ip tcp adjust-mss 1300
ip policy route-map clear-df
keepalive 10 3
tunnel source 118.125.101.148
tunnel destination 101.19.26.132
!
interface FastEthernet0/0
description IPLC network
bandwidth 10000
ip address 200.1.1.2 255.255.255.252
delay 120
speed 100
full-duplex
!
interface FastEthernet0/1
description WAN network
ip address 118.125.101.148 255.255.255.248
speed auto
full-duplex
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
description LAN network
ip address 192.168.158.253 255.255.255.0
ip policy route-map movex
!
router eigrp 100
redistribute static
passive-interface FastEthernet0/1
network 30.1.1.0 0.0.0.255
network 192.168.158.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 203.125.111.113
ip route 30.1.1.0 255.255.255.0 Tunnel0 130
ip route 172.19.5.0 255.255.255.0 200.1.1.1
ip route 172.19.5.0 255.255.255.0 Tunnel0 130
ip route 172.19.6.0 255.255.255.0 200.1.1.1
ip route 172.19.6.0 255.255.255.0 Tunnel0 130
ip route 172.19.7.0 255.255.255.0 200.1.1.1
ip route 172.19.7.0 255.255.255.0 Tunnel0 130
ip route 192.168.160.0 255.255.255.0 200.1.1.1
ip route 192.168.160.0 255.255.255.0 Tunnel0 130
ip route 192.168.161.0 255.255.255.0 200.1.1.1
ip route 192.168.161.0 255.255.255.0 Tunnel0 130
!
no ip http server
no ip http secure-server
!
access-list 100 permit gre host 118.125.101.148 host 101.19.26.132
access-list 102 permit ip 192.168.158.0 0.0.0.255 any
access-list 103 permit ip host 192.168.158.3 any
access-list 103 permit ip host 192.168.158.4 any
access-list 103 permit ip host 192.168.158.5 any
access-list 103 permit ip host 192.168.158.9 any
access-list 103 permit ip 172.19.5.0 0.0.0.255 any
access-list 103 permit ip 172.19.6.0 0.0.0.255 any
access-list 103 permit ip 172.19.7.0 0.0.0.255 any
access-list 103 permit ip 192.168.160.0 0.0.0.255 any
access-list 103 permit ip 192.168.161.0 0.0.0.255 any
access-list 111 permit tcp any any
access-list 111 permit udp any any
route-map clear-df permit 10
match ip address 111
set ip df 0
!
route-map movex permit 10
match ip address 103
set ip precedence critical
set ip next-hop 200.1.1.1
!
route-map movex permit 20
match ip address 102
set ip precedence priority
set ip next-hop 30.1.1.2
!
!