Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
3
Replies

Routing Over a VPN Tunnel

Go to solution
bill.limberg
Level 1
Level 1

‎12-01-2012 10:00 AM - edited ‎03-04-2019 06:17 PM

I'm running into a problem with a route over a VPN tunnel.  We have 5 sites connected on a MPLS network.  We have a 6th site that is connected by a site-to-site VPN tunnel that terminates on one of the routers on the MPLS network.

This setup was working just fine for us.  Any of the 5 sites were able to connect to the 6th site by routing traffic first over the MPLS network and then over the VPN tunnel.

Now we ran into a problem when moving to a new WAN circuit on the rotuer that hosts the VPN.  We're moving our WAN circuit from a Serial interface to a Gigabit interface.  All the configuration has been done: the new circuit is up, the old circuit is down, and the VPN tunnel to the 6th site is up and terminated on the Gigabit interface.

But, now we have a problem routing traffic over this VPN tunnel.  Let's say the subnet at the 6th site is 1.1.1.0/24.  With the old circuit we had a route of 'ip route 1.1.1.0 255.255.255.0 Serial0/0/0:0.100' and this was working for us.  I updated this to use the Gigabit interface instead of the Serial, but it's not working.  I can ping over the VPN tunnel from the router, but no where else.

If I remove the route command alltogether I can ping from the local LAN of the router, but not from any of the remote sites (the 1.1.1.0/24 is no longer advertised by BGP and the traffic from the remote sites isn't routed properly anymore).

So, it seems like I'm just missing something simple here...or I hope I am anyway.  Everything should fine with the VPN configuration; that has remanied unchanged.  The crypto map was just moved from the Serial interface to the Gig interface.  The VPN certainly works just fine from the local router LAN when the route command is removed.  If anyone has any idea why the router doesn't send traffic over the VPN when the route command is in place I'd love to hear from you.

Thanks,

Bill

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-01-2012 12:49 PM

Bill

Without the static route then the network is not in the routing table and if the network is not in the routing table then BGP can not advertise it. And if BGP does not advertise it then the remote sites do not know how to reach it. So the problem does center on the static route. The essence of the problem is in the way that you have expressed the static route. Using the interface to identify the exit point for the static route works fine when the exit is a point to point serial interface. But using the interface as the identifier is problematic when the interface is Ethernet. When you do a static route and specify an Ethernet as the exit then the router must ARP for every remote address. This can work if the next hop router has enabled proxy arp. But many providers do not. The best solution is to put the static route back into the config but to specify the next hop address as the exit rather than the interface.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-01-2012 12:49 PM

Bill

Without the static route then the network is not in the routing table and if the network is not in the routing table then BGP can not advertise it. And if BGP does not advertise it then the remote sites do not know how to reach it. So the problem does center on the static route. The essence of the problem is in the way that you have expressed the static route. Using the interface to identify the exit point for the static route works fine when the exit is a point to point serial interface. But using the interface as the identifier is problematic when the interface is Ethernet. When you do a static route and specify an Ethernet as the exit then the router must ARP for every remote address. This can work if the next hop router has enabled proxy arp. But many providers do not. The best solution is to put the static route back into the config but to specify the next hop address as the exit rather than the interface.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
bill.limberg
Level 1
Level 1
In response to Richard Burts

‎12-01-2012 12:56 PM

Thanks a million Rick.  That did it.  Just changed the route to the next hop off of the Gig interface and I have connectivity from all sites again.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to bill.limberg

‎12-01-2012 01:11 PM

Bill

I am glad that my response was able to guide you to a solution for your problem. This is an aspect of static routes that is sometimes not well understood. So you are in good company in figuring this out. Thank you for using the rating system to mark the question as answered. It makes the forum more useful when people can read about an issue and can know that a solution was found. Your rating has contributed to this process.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card