IP Route entry not showing up in routing table for VPN routing

slee · ‎12-11-2012

Hello,

I created a VPN tunnel between our router (2800) and the Amazon Cloud. The tunnel is fine, but when I try to enter the routing for the network in the cloud, the entry does not show up in the routing table although it shows up when I run sh run | i ip route. I heard this could happen when there is a directly connected route that overlaps the route being added, but I don't believe that is the case here. Here is the routing table:

Gateway of last resort is 108.48.76.1 to network 0.0.0.0

50.0.0.0/28 is subnetted, 1 subnets

C 50.76.16.192 is directly connected, GigabitEthernet0/0.100

169.254.0.0/30 is subnetted, 2 subnets

C 169.254.255.0 is directly connected, Tunnel1

C 169.254.255.4 is directly connected, Tunnel2

157.130.0.0/30 is subnetted, 1 subnets

C 157.130.45.232 is directly connected, MFR0.500

65.0.0.0/24 is subnetted, 1 subnets

C 65.196.96.0 is directly connected, GigabitEthernet0/0.10

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.10.2.0/24 is directly connected, GigabitEthernet0/1

S 10.10.5.0/24 [1/0] via 10.10.2.2

C 10.0.0.0/24 is directly connected, Loopback0

S 10.200.0.0/14 [1/0] via 10.10.2.2

108.0.0.0/24 is subnetted, 1 subnets

C 108.48.76.0 is directly connected, GigabitEthernet0/0.1000

S* 0.0.0.0/0 [1/0] via 108.48.76.1

The network I am trying to add is 10.208.0.0/16 on interface Tunnel1

Mitchell Dyer · ‎12-11-2012

Is the tunnel up/up?

The tunnel interface (and associated routes) will act just like any other, if the interface is down then the route will not appear in the routing table.

-Mitch

slee · ‎12-11-2012

Yes, the tunnel is up/up, sh cry isa sa shows state QM_IDLE and status active. There have been no packets in or out.

Mitchell Dyer · ‎12-11-2012

Would you mind posting the rest of your config? If not all, I'd like to see the crypto map/VTI and all associated ACLs, NAT statements and IKE/IPSec info.

Sent from Cisco Technical Support iPhone App

slee · ‎12-11-2012

here is the crypto map:

Crypto Map "Tunnel1-head-0" 65536 ipsec-isakmp

Profile name: ipsec-vpn-b5b756dc-0

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={

ipsec-prop-vpn-b5b756dc-0,

}

Crypto Map "Tunnel1-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 72.21.209.224

Extended IP access list

access-list permit ip any any

Current peer: 72.21.209.224

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={

ipsec-prop-vpn-b5b756dc-0,

}

Always create SAs

Interfaces using crypto map Tunnel1-head-0:

Tunnel1

Crypto Map "Tunnel2-head-0" 65536 ipsec-isakmp

Profile name: ipsec-vpn-b5b756dc-1

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={

ipsec-prop-vpn-b5b756dc-1,

}

Crypto Map "Tunnel2-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 72.21.209.192

Extended IP access list

access-list permit ip any any

Current peer: 72.21.209.192

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={

ipsec-prop-vpn-b5b756dc-1,

}

Always create SAs

Interfaces using crypto map Tunnel2-head-0:

Tunnel2

No ACLs or NAT statements associated with this. What IKE/IPSec info?

slee · ‎12-12-2012

Nevermind, it was the track that was screwing things up