Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
282
Views
5
Helpful
4
Replies
Highlighted
Mozambique
Beginner
Beginner
‎01-22-2021 12:02 PM
‎01-22-2021 12:02 PM

ZEN Tunnels up, line protocols down.

Hello,

 

There are three tunnels on the router, two ZEN and one DMVPN. The DMVPN is up/up, but the line protocol is down at the ZEN tunnels. I can ping the destinations of the tunnels with the source interface. The source interface is the same at the DMVPN tunnel as well, so the problem is not with that. I've checked zScaler's website and there are no maintenances on these sites. It was working before, and since then, there weren't any config changes.

 

Can you give me any advice, what should I check/what debug command can I use?

 

Thank you.

 

 

Labels:
0 Helpful
Reply
4 REPLIES 4
Highlighted
Georg Pauwen
VIP Expert VIP Expert
VIP Expert
‎01-22-2021 02:50 PM
‎01-22-2021 02:50 PM

Hello,

 

what equipment (ASA/IOS Router) is this on ? Post the confg you have...

0 Helpful
Reply
Highlighted
Mozambique
Beginner
Beginner
In response to Georg Pauwen
‎01-22-2021 03:33 PM
‎01-22-2021 03:33 PM

Hello @Georg Pauwen, it's a Cisco 4351 ISR.

 

interface Tunnel10
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output
 ip unnumbered GigabitEthernet0/0/1
 ip mtu 1400
 ip nbar protocol-discovery
 ip access-group ZS-IN_ACL in
 ip tcp adjust-mss 1360
 shutdown keepalive 10 3
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipsec ipv4
 tunnel destination 78.23.11.22
 tunnel protection ipsec profile ZEN_IPSEC_PROFILE

 

Extended IP access list ZS-IN_ACL
   10 permit icmp any any echo-reply
   20 permit tcp any any established
   30 permit udp any 10.100.0.0 0.0.255.255

 

crypto ipsec profile ZEN_IPSEC_PROFILE
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ZEN_SET

 

crypto ipsec transform-set ZEN_SET esp-null esp-md5-hmac
 mode tunnel
crypto ipsec fragmentation after-encryption

Reply
Highlighted
Georg Pauwen
VIP Expert VIP Expert
VIP Expert
In response to Mozambique
‎01-23-2021 04:21 AM
‎01-23-2021 04:21 AM

Hello,

 

this is a partial configuration, do you have the full configuration ? I have pulled the below ikev2 configuration from the zScaler website:

 

crypto ikev2 proposal <Proposal Name>
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy <Policy Name>
match fvrf any
proposal <Proposal Name>
!
crypto ikev2 keyring <Key Ring Name>
peer <Peer 1 Name>
address <Primary VPN IP Address>
pre-shared-key <Pre-Shared Key>
peer <Peer 2 Name>
address <Backup VPN IP Address>
pre-shared-key <Pre-Shared Key>
!
crypto ikev2 profile <IKEv2 Profile 1 Name>
match identity remote address <Primary VPN IP Address>
identity local email <FQDN>
authentication remote pre-share
authentication local pre-share
keyring local <Key Ring Name>
lifetime 86400
no config-exchange request
crypto ikev2 profile <IKEv2 Profile 2 Name>
match identity remote address <Backup VPN IP Address>
identity local email <FQDN>
authentication remote pre-share
authentication local pre-share
keyring local <Key Ring Name>
lifetime 86400
no config-exchange request
!
crypto ikev2 dpd 10 5 periodic
!
crypto ikev2 nat keepalive 20
!
crypto ipsec transform-set <Transform Set Name> esp-null esp-sha-hmac
mode tunnel
!
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile <IPSec Profile 1 Name>
set security-association lifetime seconds 28800
set security-policy limit 1
set transform-set <Transform Set Name>
set ikev2-profile <IKEv2 Profile 1 Name>
crypto ipsec profile <IPSec Profile 2 Name>
set security-association lifetime seconds 28800
set security-policy limit 1
set transform-set <Transform Set Name>
set ikev2-profile <IKEv2 Profile 2 Name>
!
interface <Primary Tunnel Interface>
ip unnumbered <WAN Interface>
ip mtu <MTU>
ip tcp adjust-mss 1360
tunnel source <WAN Interface>
tunnel mode ipsec ipv4
tunnel destination <Primary VPN IP Address>
tunnel protection ipsec profile <IPSec Profile 1 Name> ikev2-profile <IKEv2 Profile 1 Name>
interface <Backup Tunnel Interface>
ip unnumbered <WAN Interface>
ip mtu <MTU>
ip tcp adjust-mss 1360
tunnel source <WAN Interface>
tunnel mode ipsec ipv4
tunnel destination <Backup VPN IP Address>
tunnel protection ipsec profile <IPSec Profile 2 Name> ikev2-profile <IKEv2 Profile 2 Name>
!
access-list <ACL Number> permit ip any any
!
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
!
access-list <ACL Number> deny ip any <Exempted Server IP>
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
!
route-map <Route Map Name> permit 1
match ip address <ACL Number>
set interface <Primary Tunnel Interface> <Backup Tunnel Interface>
!
interface <WAN Interface>
description $ES_WAN$
ip address 10.96.19.244 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface <LAN Interface>
ip address 172.17.0.128 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat inside
ip virtual-reassembly in
ip policy route-map <Route Map Name>
!
track 1 ip sla 1 state
delay down 180 up 180
track 2 ip sla 2 state
delay down 180 up 180
ip route <Primary Global ZIA Public Service Edge IP Address> 255.255.255.255 <Primary Tunnel Interface> permanent
ip route <Backup Global ZIA Public Service Edge IP Address> 255.255.255.255 <Backup Tunnel Interface> permanent
ip sla 1
http raw http://<Primary Global ZIA Public Service Edge IP Address>:80
http-raw-request
GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 1 life forever start-time now
ip sla 2
http raw http://<Backup Global ZIA Public Service Edge IP Address>:80
http-raw-request
GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3

0 Helpful
Reply
Highlighted
Mozambique
Beginner
Beginner
In response to Georg Pauwen
‎01-23-2021 10:56 AM
‎01-23-2021 10:56 AM

Hi, 

Here is the config of the primary tunnel. If you need the secondary tunnel's config too, I can send it later, I just didn't want to rewrite that config too.

 

crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp identity hostname
crypto isakmp keepalive 20 5 periodic
crypto isakmp nat keepalive 20
!
crypto isakmp peer address 78.23.11.22
 set aggressive-mode password PASSW
 set aggressive-mode client-endpoint user-fqdn r1@test.com
!


crypto ipsec transform-set ZEN_SET esp-null esp-md5-hmac
 mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile ZEN_IPSEC_PROFILE
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ZEN_SET
!
interface Tunnel10
 ip unnumbered GigabitEthernet0/0/1
 ip mtu 1400
 ip nbar protocol-discovery
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output
 ip access-group ZS-IN_ACL in
 ip tcp adjust-mss 1360
 keepalive 10 3
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipsec ipv4
 tunnel destination 78.23.11.22
 tunnel protection ipsec profile ZEN_IPSEC_PROFILE
!
router eigrp 1
 redistribute static
 passive-interface Tunnel10
 no auto-summary
!
ip route 78.23.11.22 255.255.255.255 GigabitEthernet0/0/1
ip route 78.23.11.25 255.255.255.255 Tunnel10 permanent 
!
ip access-list extended ZS-IN_ACL
 permit icmp any any echo-reply
 permit tcp any any established
 permit udp any 10.100.0.0 0.0.255.255
!
ip sla 1
 http raw http://78.23.11.25:443
 http-raw-request
  GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n
  User-Agent: Cisco IP SLA\r\n
  end\r\n
  \r\n
  exit
 timeout 5000
ip sla schedule 1 life forever start-time now

ip sla reaction-configuration 1 react rtt threshold-value 5000 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 5000 1 threshold-type consecutive 3
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability

0 Helpful
Reply
Latest Contents
Community Live Video - New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-24-2021 08:49 AM
0
0
0
0
(view in My Videos) Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT... view more
New Additions to the Catalyst 8000 Family- FAQ
Created by Cisco Moderador on 02-24-2021 07:23 AM
0
0
0
0
Community Live-New Additions to the Catalyst 8000 Family This event had place on Tuesday 23rd, February 2021 at 10hrs PDT  Introduction Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers best-in-class networ... view more
New Additions to the Catalyst 8000 Family- AMA Event
Created by Cisco Moderador on 02-22-2021 05:26 AM
0
0
0
0
To participate in this event, please use the  button to ask your questions New Additions to the Catalyst 8000 Family This forum is a chance to clarify all your questions related to the Catalyst 8k Family! Designed for an intent-based network, the Ci... view more
Community Live Slides- New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-22-2021 05:16 AM
0
0
0
0
Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had  place on Tuesday 23rd, February 2021 at 10:00 hrs PDT  Designed... view more
Introducing Cisco Catalyst Micro Switches
Created by LeslieVanZee on 02-18-2021 02:12 PM
0
0
0
0
We are pleased to announce the launch of a whole new category of switches: micro switches. Cisco Catalyst Micro Switches provide Gigabit Ethernet and PoE+ in ultra-small 4-port form factors that can be mounted in cable ducts or on the desktop. For those ... view more
Content for Community-Ad