Thanks your feedback. I also

Wesoley · ‎04-10-2017

We had a GRE tunnel between 2 routers/sites and the configs on R2 were migrated to another router. Since the change, I am unable to ping the tunnel interface on the remote side although the tunnel is up.

Tunnel100 200.7.xx.83 YES manual up up

R1

interface Tunnel100
bandwidth 10000
vrf forwarding Gp
ip address 200.7.xx.83 255.255.255.254
ip mtu 1500
ip tcp adjust-mss 1436
keepalive 5 4
tunnel source Loopback13
tunnel destination 66.54.xx.85
tunnel path-mtu-discovery
tunnel vrf Internet
end

interface Loopback13
vrf forwarding Internet
ip address 200.7.xx.81 255.255.255.255

ASR1002-R1#ping vrf Internet 66.54.xx.85 source loopback 13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.54.xx.85, timeout is 2 seconds:
Packet sent with a source address of 200.7.xx.81
!!!!!

R2

interface tunnel-ip4
description Trinidad GRX Connection
vrf grx
ipv4 address 200.7.xx.82 255.255.255.254
ipv4 tcp-mss-adjust enable
tunnel mode gre ipv4
tunnel source Loopback4
tunnel vrf internet
tunnel destination 200.7.xx.81
!
interface Loopback4
description GRE Public-2
vrf internet
ipv4 address 66.54.xx.85 255.255.255.255

ASR1002-R2#ping 200.7.xx.81
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.7.xx.81, timeout is 2 seconds:
!!!!!

As you can see, I am able to ping the remote destination on both sides, however, I am unable to ping the tunnel interface.

ASR1002-R1#ping vrf Gp 200.7.xx.82 source Tunnel100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.7.xx.82, timeout is 2 seconds:
Packet sent with a source address of 200.7.xx.83
.....

I would appreciate any ideas or thoughts.

ajay chauhan · ‎04-10-2017

I do not see any tunnel source interface mentioned here -

R2-

interface Tunnel100
bandwidth 10000
ip address 200.4.xx.82 255.255.255.254
ip mtu 1500
ip tcp adjust-mss 1436
keepalive 5 4
tunnel destination 200.7.xx.81
tunnel path-mtu-discovery

Wesoley · ‎04-11-2017

I was able to get the config for the remote tunnel. It includes the tunnel source. Check the config again.

dperezoquendo · ‎04-11-2017

Hm, I'm not entirely sure if you can ping via vrf Gf since the tunnel vrf is set to Internet. I'm curious if you can ping both tunnel interfaces from another device in the network - if you're setup allows it.

Other than the pinging the tunnel interfaces itself, does everything function as it should?

Richard Burts · ‎04-11-2017

Let us start by reviewing a basic behavior of IOS about GRE tunnels. If an IOS device is configured with a normal GRE tunnel (not using IPsec to encrypt traffic) and is not configured with GRE keepalive then IOS will mark the tunnel interface as up up as long as there is a valid route in the routing table to reach the tunnel destination address. On most interfaces if the interface is up up then you assume that the interface will pass traffic. But this is not true for GRE. So when the original post says that the tunnel interface is up up that does not necessarily mean that the tunnel interface will pass traffic.

It is a good question to ask if there are other indications of whether the tunnel is working besides attempts to ping.

HTH

Rick

HTH

Rick

Wesoley · ‎04-12-2017

Thanks for this added info

Wesoley · ‎04-11-2017

Thanks your feedback. I also did that but forgot to include it in the output. My apologies.

ASR1002-R1#ping vrf Internet 200.7.xx.82
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.7.xx.82, timeout is 2 seconds:
.....

James Krause · ‎04-11-2017

Can you do a "show ip route vrf internet", as well as a "show ip route vrf grx"

James Krause · ‎04-11-2017

You should need to use the tunnel VRF for pinging here, this is because the VRF has a separate instance of the routing table for each VRF.

ping vrf internet 200.7.xx.82, should work.

nurbol555 · ‎04-12-2017

check your ip address on tunnel interfaces. they have to be on one network. you use on router 2 for tunnel address ipv4 address 200.7.xx.82 255.255.255.254, it have to be address on one network with tunnel address on first router 200.4.xx.83 255.255.255.254. I suggest you change your tunnel address, on first router try ip address 200.4.xx.81 255.255.255.252, on second ip address 200.4.xx.82 255.255.255.252

Richard Burts · ‎04-13-2017

This does appear to be a real problem, but I believe that it is just a typo. If R1 really had 200.4.xx.83 while R2 had 200.7.xx.82 as tunnel addresses it would be a problem. But I believe that the 200.4 is a typo. The original post has what appears to be a line of output from show ip interface brief

Tunnel100 200.7.xx.83 YES manual up up

and that shows that R1 does appear to really have 200.7 for the address.

Would it be possible to see more of the config from R2? It might also be helpful to see the output of show ip route vrf all

HTH

Rick

HTH

Rick

mshabanov · ‎04-24-2018

Try to apply on the tunnel interface: tunnel key XXX.

Has helped with my case.

Gre tunnel up, but can't ping remote tunnel interface