Solved: interface tunnel flap

stefano.lavelli@axitea.it · ‎06-04-2019

I put my configuration of router in attach and the show interface tunnel0; the problem is on the tunnel interface : the protocol randomly goes down and after a few seconds it turn back up; what can be the problems?

some debugs on the interface during the UP/DOWN return me this:

Jun 3 14:11:55: [IDB Tu0 UAUUYY] LSTATE_REQ: Entry (immediate)
Jun 3 14:11:55: [IDB Tu0 UAUUYY] LSTATE_TMR: Entry
Jun 3 14:11:55: [IDB Tu0 UAUUYY] LSTATE_TMR: not spoofing, current state: n
Jun 3 14:11:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Jun 3 14:11:55: [IDB Tu0 UAUUYY] LSTATE_TMR: informing line state transitions
Jun 3 14:11:55: [IDB Tu0 UAUUnY] TRANS_ADJ: Entry
Jun 3 14:11:55: [IDB Tu0 UAUUnn] TRANS_ADJ: propagating change to subifs
Jun 3 14:11:55: [IDB Tu0 UAUUnn] TRANS_ADJ: Exit
Jun 3 14:11:55: [IDB Tu0 UAUUnn] ROUTE_ADJ: Entry
Jun 3 14:11:55: [IDB Tu0 UAUUnn] ROUTE_ADJ: Exit
Jun 3 14:11:55: [IDB Tu0 UAUUnn] BRIDGE_ADJ: Entry
Jun 3 14:11:55: [IDB Tu0 UAUUnn] BRIDGE_ADJ: Exit
Jun 3 14:11:55: [IDB Tu0 UAUUnn] LSTATE_TMR: Exit
Jun 3 14:11:55: [IDB Tu0 UAUUnn] LSTATE_REQ: Entry (immediate)
Jun 3 14:11:55: [IDB Tu0 UAUUnn] LSTATE_TMR: Entry
Jun 3 14:11:55: [IDB Tu0 UAUUnn] LSTATE_TMR: not spoofing, current state: Y
Jun 3 14:11:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Richard Burts · ‎06-04-2019

The comment about tunnels and recursive routing is especially true for GRE tunnels. But in this case the tunnel is VTI. In my experience with VTI tunnels the main thing that controls tunnel interface status (up or down) is the success of the crypto negotiation. If the ipsec sa is not established (which implies that the isakmp sa is also established) then the VTI tunnel will be in the down state. And when the ipsec sa is established the VTI tunnel will be in the up state. Is it possible that there are issues with the crypto sessions? Perhaps the output of debug crypto ipsec might shed some light on the issue?

HTH

Rick

HTH

Rick

View solution in original post

Giuseppe Larosa · ‎06-04-2019

Hello Stefano,

usually tunnel interfaces can flap if recursive routing is occurring:

if the device or the router on the other side of the tunnel learns and install a route to the tunnel destination over the tunnel itself.

So you need to verify that no device in both side advertises their respective tunnel destination addresses over the tunnel.

In your case looking at your show file you are running eBGP over the tunnel.

Hope to help

Giuseppe

Richard Burts · ‎06-04-2019

The comment about tunnels and recursive routing is especially true for GRE tunnels. But in this case the tunnel is VTI. In my experience with VTI tunnels the main thing that controls tunnel interface status (up or down) is the success of the crypto negotiation. If the ipsec sa is not established (which implies that the isakmp sa is also established) then the VTI tunnel will be in the down state. And when the ipsec sa is established the VTI tunnel will be in the up state. Is it possible that there are issues with the crypto sessions? Perhaps the output of debug crypto ipsec might shed some light on the issue?

HTH

Rick

HTH

Rick

stefano.lavelli@axitea.it · ‎06-13-2019

Hi Richard,

your info is right. there were a misconfiguration on IPSec on the two sides (PFS different) , now I have correct the configuration and the Tunnel no longer flap

Thanks for the solution.

Stefano

Richard Burts · ‎06-13-2019

Stefano

I am glad that my suggestion pointed you in the right direction. Thank you for marking this question as solved. This will make it easier for other participants in the community to identify discussions which have helpful information. This was about a subtle aspect of using tunnels and I believe that a number of other participants will find it useful.

HTH

Rick

HTH

Rick