Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1437
Views
0
Helpful
1
Replies

IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

satheeshmurthy2006
Level 1
Level 1

ā€Ž12-26-2014 12:06 AM - edited ā€Ž03-05-2019 12:26 AM

>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers 
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end 
>>Please guide me how i can fix this issue and what need to be check on this ????

========================

Router_1#sh run int Tunnel20
Building configuration...

Current configuration : 272 bytes
!
interface Tunnel20
 
 bandwidth 2048
 ip address 3.85.129.141 255.255.255.252
 ip mtu 1412
 ip flow ingress
 delay 1
 cdp enable
 tunnel source GigabitEthernet0/0/3
 tunnel destination 109.224.62.26
end

 


===================

Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
  Hardware is Tunnel
  Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
  Internet address is 3.85.129.141/30
  MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
   Tunnel Subblocks:
      src-track:
         Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
          Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 1w6d, output 14w4d, output hang never
  Last clearing of "show interface" counters 2y5w
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1565172427 packets input, 363833090294 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     1778491917 packets output, 1555959948508 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!..!!!!!!!.!!!!!!!!!!!!!!!!!!
!!!!!.!!!!!!!!!!!!!!..!!!!.!!!
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#

============================================

Router_1#sh cry ip sa pe 109.224.62.26 | in caps
    #pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
    #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
    #pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
    #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2 
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#

===================

Router_2#sh run int Tu1
Building configuration...

Current configuration : 269 bytes
!
interface Tunnel1
 
 bandwidth 2000
 ip address 3.85.129.142 255.255.255.252
 ip mtu 1412
 ip flow ingress
 load-interval 30
 keepalive 10 3
 cdp enable
 tunnel source GigabitEthernet0/0
 tunnel destination 195.27.20.14
 !
end

Router_2#

=======================

Router_2#sh run | sec cry

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
 mode transport
crypto map <Deleted> 10 ipsec-isakmp
 
 set peer 195.27.20.14
 set transform-set ge3vpn
 match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
 
 set peer 194.9.241.8
 set transform-set ge3vpn
 match address Router_1
 crypto map <Deleted>

Router_2#

====================================

Router_2#sh cry ip sa pe 195.27.20.14 | in caps
    #pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
    #pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2 
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================

Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
  Hardware is Tunnel
  
  Internet address is 3.85.129.142/30
  MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive set (10 sec), retries 3
  Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
   Tunnel Subblocks:
      src-track:
         Tunnel1 source tracking subblock associated with GigabitEthernet0/0
          Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 1w6d, output 00:00:02, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     1881547260 packets input, 956465296 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     1705198723 packets output, 2654132592 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
=============================

Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!!!!!!.!!!!!!!.!!!!!!.!.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================

Labels:
0 Helpful
1 Reply 1

Vasilii Mikhailovskii
Level 7
Level 7

ā€Ž12-26-2014 11:40 AM

Hello.

First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).

Configure inbound ACL on the router to match esp protocol and check if the packets arrive.

Please provide full output "show crypto ipsec sa"
 from both sides.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card