Solved: Re: Tunnel not coming up - Page 2

Joy3 · ‎10-21-2021

Hallo,

I have configured an ISR1100 router to communicate with a remote site. However, the tunnels are not coming up.

R1-1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 192.168.1.1 YES NVRAM down down
GigabitEthernet0/1/0 unassigned YES unset up up
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
Wl0/1/4 unassigned YES unset administratively down down
Cellular0/2/0 10.x.x.x YES IPCP up up
Cellular0/2/1 unassigned YES NVRAM administratively down down
ATM0/3/0 unassigned YES NVRAM administratively down down
Ethernet0/3/0 unassigned YES NVRAM down down
Loopback0 172.x.x.x YES manual up up
Tunnel100 172.x.x.x YES manual up down
Tunnel200 172.x.x.x YES manual up down
Vlan1 unassigned YES unset administratively down down
Vlan100 x.x.x.x YES manual up up
Vlan251 x.x.x.x YES manual up up
Vlan300 x.x.x.x YES manual up up
Vlan804 x.x.x.x YES manual up up
Vlan805 x.x.x.x YES manual up up
Vlan806 x.x.x.x YES manual up up

The running configs for the tunnel are as below:

R1#sh int tunnel100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Internet address is 172.x.x.x/24
MTU 9972 bytes, BW 100 Kbit/sec, DLY 10000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source 10.x.x.x (Cellular0/2/0)
Tunnel Subblocks:
src-track:
Tunnel100 source tracking subblock associated with Cellular0/2/0
Set of tunnels with source Cellular0/2/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x64, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN-PROFILE-1")
Last input never, output 00:00:01, output hang never
Last clearing of "show interface" counters 16:35:32
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3407 packets output, 463352 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1#

The cellular interface is as follows:

R1#sh int cellular 0/2/0
Cellular0/2/0 is up, line protocol is up
Hardware is LTE Adv CAT6 - Multimode LTE/DC-HSPA+/HSPA+/HSPA/UMTS/EDGE/GPRS
Internet address is 10.x.x.x/32
MTU 1500 bytes, BW 50000 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive not supported
DTR is pulsed for 1 seconds on reset
Last input 00:00:03, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
7608 packets input, 2025268 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
8008 packets output, 1795372 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions

R1#sh run int cellular 0/2/0
Building configuration...

Current configuration : 139 bytes
!
interface Cellular0/2/0
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
end

R1#

Kindly let me know what the issue could be. Thanks.

Joy3 · ‎10-24-2021

@Georg Pauwen I get no errors now but the tunnels are still in up/down state.

Georg Pauwen · ‎10-25-2021

Hello,

which traffic do you actually want to send across the VPN ? You need static routes for the remote networks pointing to the respective tunnel as the outgoing interface...

Joy3 · ‎10-25-2021

@Georg Pauwen I'd like to send voice and data traffic across the VPN. The static routes are configured as below:

Wl0/1/4 unassigned YES unset administratively down down
Cellular0/2/0 10.x.x.x YES IPCP up up
Ethernet0/3/0 unassigned YES NVRAM down down
Loopback0 172.x.x.x YES NVRAM up up
Tunnel100 172.x.x.x YES NVRAM up down
Tunnel200 172.x.x.x YES NVRAM up down

There is a similar ISR that is operational but the source of this particular router is the Dialer1 interface. For the one that I am having a problem with, the tunnel source is cellular 0/2/0 interface. Could this be a problem?

Thanks.

Joy3 · ‎10-25-2021

Hallo,

Here is some more information for context.

1. The operational router's dialer interface (tunnel uses it as the source) is as below:

R2#sh run int dialer 1
Building configuration...

Current configuration : 537 bytes
!
interface Dialer1
bandwidth 2500
bandwidth receive 17500
vrf forwarding INTERNET
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 7 xxx
ppp pap sent-username xxx password 7 xxx
service-policy output WAN-EDGE-4-CLASS
end

2. The cellular interface (tunnel uses this as the source) configuration of the problematic ISR is as below:

R1#sh run int cellular 0/2/0
Building configuration...

Current configuration : 139 bytes
!
interface Cellular0/2/0
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1

service-policy output WAN-EDGE-4-CLASS
end

Could the cellular interface config be too simplistic? I am able to ping 8.8.8.8.

paul driver · ‎10-25-2021

Hello

Check your IKE and IPSEC polices make sure they have partity on either of the tunnels

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joy3 · ‎10-25-2021

@paul driver Thanks for your response. Could you kindly let me know how to do that? What I have at the moment is:

crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxx
!

crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1

Joy3 · ‎10-25-2021

Hallo,

Sorry to flood this post with so many configs but I have tried all day to troubleshoot this issue without success. If anyone finds where the issue is, please let me know. The traceroute is as below:

R1#traceroute 172.x.x.x
Type escape sequence to abort.
Tracing the route to 172.x.x.x
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * *
172.x.x.x msec
3 10.x.x.x msec 32 msec 32 msec
4 * * *
5 62.52.29.18 52 msec 40 msec 28 msec
6 * * *
7 * * *

Thanks again.

Regards,

Joyce

paul driver · ‎10-25-2021

Hello
Hub/Spokes
int tun xx
no keepalive < this should bring uo the tunnels

Spoke
no access-list 1
no ip nat inside source list 1 interface Cellular0/2/0 overload < nat isnt being used

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joy3 · ‎10-25-2021

Thanks @paul driver I will test tomorrow when I go to the lab. Must the keepalive be disabled from both hub and spoke? I don't want to alter the hub side since it is serving other routers which are working properly. Thanks.

paul driver · ‎10-25-2021

Hello
Then just do the NHC (spoke) tunnel and cellular interfaces and test, As It looks like it isn’t set any way on the tunnel, the cellular is stating keepalive is not supported.
In theory a tunnel interface (basic gre) should come up with just specifying a source interface and/or mode/ destination even without reachabulity to its peer.

Another thing you could try using the dialler interface as source for the tunnel.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joy3 · ‎10-26-2021

Hallo all,

Thank you so much for the suggestions given. The issue was the cellular interface was not configured with vrf forwarding INTERNET and there was an additional ip route that I removed and now the tunnels are up and I have ssh connection. Thanks again.