cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
282
Views
5
Helpful
4
Replies
Highlighted
Beginner

ZEN Tunnels up, line protocols down.

Hello,

 

There are three tunnels on the router, two ZEN and one DMVPN. The DMVPN is up/up, but the line protocol is down at the ZEN tunnels. I can ping the destinations of the tunnels with the source interface. The source interface is the same at the DMVPN tunnel as well, so the problem is not with that. I've checked zScaler's website and there are no maintenances on these sites. It was working before, and since then, there weren't any config changes.

 

Can you give me any advice, what should I check/what debug command can I use?

 

Thank you.

 

 

4 REPLIES 4
Highlighted
VIP Expert

Hello,

 

what equipment (ASA/IOS Router) is this on ? Post the confg you have...

Highlighted

Hello @Georg Pauwen, it's a Cisco 4351 ISR.

 

interface Tunnel10
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output
 ip unnumbered GigabitEthernet0/0/1
 ip mtu 1400
 ip nbar protocol-discovery
 ip access-group ZS-IN_ACL in
 ip tcp adjust-mss 1360
 shutdown keepalive 10 3
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipsec ipv4
 tunnel destination 78.23.11.22
 tunnel protection ipsec profile ZEN_IPSEC_PROFILE

 

Extended IP access list ZS-IN_ACL
   10 permit icmp any any echo-reply
   20 permit tcp any any established
   30 permit udp any 10.100.0.0 0.0.255.255

 

crypto ipsec profile ZEN_IPSEC_PROFILE
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ZEN_SET

 

crypto ipsec transform-set ZEN_SET esp-null esp-md5-hmac
 mode tunnel
crypto ipsec fragmentation after-encryption

Highlighted

Hello,

 

this is a partial configuration, do you have the full configuration ? I have pulled the below ikev2 configuration from the zScaler website:

 

crypto ikev2 proposal <Proposal Name>
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy <Policy Name>
match fvrf any
proposal <Proposal Name>
!
crypto ikev2 keyring <Key Ring Name>
peer <Peer 1 Name>
address <Primary VPN IP Address>
pre-shared-key <Pre-Shared Key>
peer <Peer 2 Name>
address <Backup VPN IP Address>
pre-shared-key <Pre-Shared Key>
!
crypto ikev2 profile <IKEv2 Profile 1 Name>
match identity remote address <Primary VPN IP Address>
identity local email <FQDN>
authentication remote pre-share
authentication local pre-share
keyring local <Key Ring Name>
lifetime 86400
no config-exchange request
crypto ikev2 profile <IKEv2 Profile 2 Name>
match identity remote address <Backup VPN IP Address>
identity local email <FQDN>
authentication remote pre-share
authentication local pre-share
keyring local <Key Ring Name>
lifetime 86400
no config-exchange request
!
crypto ikev2 dpd 10 5 periodic
!
crypto ikev2 nat keepalive 20
!
crypto ipsec transform-set <Transform Set Name> esp-null esp-sha-hmac
mode tunnel
!
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile <IPSec Profile 1 Name>
set security-association lifetime seconds 28800
set security-policy limit 1
set transform-set <Transform Set Name>
set ikev2-profile <IKEv2 Profile 1 Name>
crypto ipsec profile <IPSec Profile 2 Name>
set security-association lifetime seconds 28800
set security-policy limit 1
set transform-set <Transform Set Name>
set ikev2-profile <IKEv2 Profile 2 Name>
!
interface <Primary Tunnel Interface>
ip unnumbered <WAN Interface>
ip mtu <MTU>
ip tcp adjust-mss 1360
tunnel source <WAN Interface>
tunnel mode ipsec ipv4
tunnel destination <Primary VPN IP Address>
tunnel protection ipsec profile <IPSec Profile 1 Name> ikev2-profile <IKEv2 Profile 1 Name>
interface <Backup Tunnel Interface>
ip unnumbered <WAN Interface>
ip mtu <MTU>
ip tcp adjust-mss 1360
tunnel source <WAN Interface>
tunnel mode ipsec ipv4
tunnel destination <Backup VPN IP Address>
tunnel protection ipsec profile <IPSec Profile 2 Name> ikev2-profile <IKEv2 Profile 2 Name>
!
access-list <ACL Number> permit ip any any
!
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
!
access-list <ACL Number> deny ip any <Exempted Server IP>
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
!
route-map <Route Map Name> permit 1
match ip address <ACL Number>
set interface <Primary Tunnel Interface> <Backup Tunnel Interface>
!
interface <WAN Interface>
description $ES_WAN$
ip address 10.96.19.244 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface <LAN Interface>
ip address 172.17.0.128 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat inside
ip virtual-reassembly in
ip policy route-map <Route Map Name>
!
track 1 ip sla 1 state
delay down 180 up 180
track 2 ip sla 2 state
delay down 180 up 180
ip route <Primary Global ZIA Public Service Edge IP Address> 255.255.255.255 <Primary Tunnel Interface> permanent
ip route <Backup Global ZIA Public Service Edge IP Address> 255.255.255.255 <Backup Tunnel Interface> permanent
ip sla 1
http raw http://<Primary Global ZIA Public Service Edge IP Address>:80
http-raw-request
GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 1 life forever start-time now
ip sla 2
http raw http://<Backup Global ZIA Public Service Edge IP Address>:80
http-raw-request
GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3

Highlighted

Hi, 

Here is the config of the primary tunnel. If you need the secondary tunnel's config too, I can send it later, I just didn't want to rewrite that config too.

 

crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp identity hostname
crypto isakmp keepalive 20 5 periodic
crypto isakmp nat keepalive 20
!
crypto isakmp peer address 78.23.11.22
 set aggressive-mode password PASSW
 set aggressive-mode client-endpoint user-fqdn r1@test.com
!


crypto ipsec transform-set ZEN_SET esp-null esp-md5-hmac
 mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile ZEN_IPSEC_PROFILE
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ZEN_SET
!
interface Tunnel10
 ip unnumbered GigabitEthernet0/0/1
 ip mtu 1400
 ip nbar protocol-discovery
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output
 ip access-group ZS-IN_ACL in
 ip tcp adjust-mss 1360
 keepalive 10 3
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipsec ipv4
 tunnel destination 78.23.11.22
 tunnel protection ipsec profile ZEN_IPSEC_PROFILE
!
router eigrp 1
 redistribute static
 passive-interface Tunnel10
 no auto-summary
!
ip route 78.23.11.22 255.255.255.255 GigabitEthernet0/0/1
ip route 78.23.11.25 255.255.255.255 Tunnel10 permanent 
!
ip access-list extended ZS-IN_ACL
 permit icmp any any echo-reply
 permit tcp any any established
 permit udp any 10.100.0.0 0.0.255.255
!
ip sla 1
 http raw http://78.23.11.25:443
 http-raw-request
  GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n
  User-Agent: Cisco IP SLA\r\n
  end\r\n
  \r\n
  exit
 timeout 5000
ip sla schedule 1 life forever start-time now

ip sla reaction-configuration 1 react rtt threshold-value 5000 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 5000 1 threshold-type consecutive 3
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability