Showing results for 
Search instead for 
Did you mean: 

ipvpn tunnel configurations


i have a core router that contains ipvpn tunnel configurations with my site office branch router.

recently while setting up a new site, we test the link failover.

we discovered that the tunnel from site router to core router remain down after we shutdown the main link with only the backup link as the failover didnt take place.

what is the best practise for configuring ipvpn site to site tunnel configuration?

after we removed the keepalive setting on the core router, my tunnel was able to get connected.

core router (C3925 router)

interface Tunnel1003
description Tunnel to site3
ip address
ip mtu 1500
ip virtual-reassembly in
ip tcp adjust-mss 1436
ip ospf message-digest-key 1 md5 7 070C2XXXXX

keepalive 10 3 ---- removed 
tunnel source
tunnel destination

site router (C1941 router)

interface Tunnel1003
description Tunnel to Core1
ip address
ip mtu 1500
ip virtual-reassembly in
ip tcp adjust-mss 1436
ip ospf message-digest-key 1 md5 7 070C2XXXXXX
keepalive 10 3
tunnel source
tunnel destination

7 Replies 7

Philip D'Ath

I seen this happen before with buggy IOS versions.  Which ever router you removed the "keepalive" line from is the one with the buggy software.  You should upgrade it to the next "gold star" release.

The other possibility is that you have recursive routing going on.  I can't tell without see a lot more config.

The really important bit is that if you are using dynamic routing protocols that the tunnel endpoints ( an are never advertised over the tunnel itself.

ios for the c3925 is C3900-UNIVERSALK9-M, Version 15.2(4)M5

and C1900-UNIVERSALK9-M , Version 15.2(4)M6 for the c1941 router.

looks like i need to upgrade the ios.

I would recommend either 15.4.3M5 or 15.5.3M2.


i have bgp running on 1st WAN link and backup WAN link for this tunnel.

how can I configure the router such that if 1st WAN link down for more than 5 mins, the 2nd WAN link can take over the traffic ??

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Do/PfxRcd
117.xx.1xx.2xx 4 9255 33762 34477 1066 0 0 1w3d 43
117.xx.1xx.2xx 4 9255 7763 7953 1066 0 0 2d12h 43

5 minutes is a long time.  You would have to extend the BGP timers to make it that long.  Do you really need it to take that long?

5 mins is just an example.

can the router resume normal traffic using the 1st WAN link when it is back if it went down due to cable fault ??

can i use the BGP timers to control this ?

When the primary link comes back up again BGP will re-establish, and the original routing table should restore itself.

You don't need to touch any BGP timers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers