Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1014
Views
0
Helpful
5
Replies

Tunnel interface question

richmorrow624
Level 1
Level 1

‎06-19-2006 03:38 PM - edited ‎03-03-2019 01:03 PM

I am trying to understand a configuration of tunnel interfaces.

I have a router at one site that is connecting to the remote office via the Internet. I have a 4503 switch at another site that connects to the remote site thru a PIX firewall.

Whoever configured these devices has the loopback address for the router on a two host network with a 30 bit subnet mask.

They have done the same thing with the switch.

The tunnel address are also on a two host network, 30 bit subnet mask, but this makes sense becase the tunnel ends will use these addresses.

I am assuming that once the tunnel is established, the loopbacks are considered directly connected interfaces, to the tunnel endpoints so the routing is accomlished there. So I should be able to ping from tunnel endpoint to tunnel endpoint, but I cannot.

The tunnels are showing up/up on both ends, but I cannot ping end to end of the tunnel.

Also, I do not understand why the loopback addresses were on two host networks when I cannot find the other host of the network anywhere for the router or the switch.

Any thoughts

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎06-19-2006 04:18 PM

Richard

I believe that you have two questions here which are un-related. I will give answers for both.

First is a question about whether the tunnel is working correctly or not. I am assuming that this is a standard GRE tunnel. If not please clarify what kind of tunnel this is (and posting configuration would be helpful). The traditional implementation of GRE tunnel on Cisco router does interface status a bit differently than other interfaces. In Cisco IOS a GRE tunnel interface will be up and up as long as the router has a valid route to the tunnel end point. So the tunnel may be up and up but no traffic gets delivered.

Assuming that the GRE tunnel is not working I would suggest that you check it by using extended ping. Do a ping from one router specifying the tunnel destination as destination of ping and specifying the tunnel source as the ping source. If the extended ping fails it probably indicates some problem with IP connectivity and is probably the reason that the tunnel does not work. If the extended ping does succeed then there is some other problem and we will need to do some additional testing.

The second question has to do with the use of a /30 mask in defining the loopback interface. While the loopback is truly a host (/32) address it is fairly common to configure it with a mask of a subnet. I have seen this done when interfaces were going to do ip unnumbered to the loopback interface. I have done this on a router supporting dial access as an easy way to advertise the subnet of the dial pool. There are other reasons why the loopback might be configured with a subnet mask instead of a /32. Perhaps if we saw your config we might figure what these reasons might be - or it might be that the person did it that way without any specific reason. I have not seen any problems arise from configuring the loopback interface with a subnet mask. Are you experiencing problems or is it just that you want to have a logical explanation for what is in the config.

HTH

Rick

HTH

Rick
0 Helpful

richmorrow624
Level 1
Level 1
In response to Richard Burts

‎06-19-2006 04:27 PM

Thanks for the reply,

Here are the configs. I have edited them some for clarity.

The idea is to get the router to communicate with the 4503 via the internet.

I remove the VPN stuff from the config.

Thanks

0 Helpful

olorunloba
Level 5
Level 5
In response to richmorrow624

‎06-19-2006 07:03 PM

Two things from your config

1. You are using private address across the internet. Did you change the addresses for security purposes, or this is what you are using exactly. Note that Private IP address cannot communicate over the internet.

2. One end of the tunnel is shut down. Is this intentional. Can you bring it up and test if you have connectivity again.

If those do not clarify the problem. Test for connectivity (using ping and traceroute) between the IPs 10.10.1.1 and 10.10.1.13. You could have a routing problem in-between or a firewall.

0 Helpful

olorunloba
Level 5
Level 5

‎06-19-2006 06:55 PM

I assume you are using GRE tunnels.

Can you reach the tunnel destinations from each end? Do an ping from the router to the address of the tunnel destination making the source address to be the tunnel source. If you do not get any response, troubleshoot for the GRE tunnel to come up, the tunnel endpoints must be able to communicate with each other.

It is normal for the tunnel to say up/up even when you cannot reach across it. Actually, once their is a route for the tunnel destination, it changes to up/up. You could configure tunnel keepalives to change the status to up/down if it cannot reach the other end

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml

0 Helpful

richmorrow624
Level 1
Level 1
In response to olorunloba

‎06-19-2006 07:54 PM

I believe these are GRE tunnels. This is the way it was configured at the site I was telling you about. This is one of the VPN routers that will not fail back aftermanual failover, which explains the shutdown interface.

I am assuming the tunnel works when it is not shut down. I am trying to set it up in a lab environment and did not understand why the addressing was done the way it is, and I am assuming it is done correctly.

I am told it works the way it is if the failover is done manually. It looks like there is natting done. I am also assuming that the connection is established on the frame-relay, then the tunnel is built up on the frame circuit.

If you can do encryption as it looks like that was done, is the tunnel just another layer of security across the frame-relay circuit?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card