I tried that first and it did not work but I could ping and telnet from one router to the other.  It is not related to teh crypto it is something with GRE, but thank you.  Any other ideas?

Hello

"I could ping and telnet from one router to the other."

Just to confirm you have connectivity between src/dest address on either rtr and when you try to create a gre tunnel is dosnt establish?

ping x.x.x.x(dest ip) source y.y.y.y (scr ip)

1) Can you delete tunnel
2) debug tunnel
3) create tunnel

Post out from debug


res
Paul

First let me offer a clarification - with this in the configuration we are not really dealing with a GRE tunnel

tunnel mode ipsec ipv4

 tunnel protection ipsec profile tunnel11

This is really Virtual Tunnel Interface which is very much like GRE but does have some differences. I have done VTI a number of times. One thing I have learned is that if there is some issue with the crypto negotiation that one tunnel, or perhaps both tunnels will be in the UP/Down state. So far we do not have enough information about the configuration of crypto and the outside interfaces to be able to identify the problem. But my guess is that the problem is more about crypto than it is about tunnel.

HTH

Rick

Rick

I agree with you but even without the crypto the tunnel fails to come up but what is even stranger is the crypto tunnel does establish for example (sh crypto isakmp sa) states the IPSEC tunnel is up but the tunnel interface is up/down.  

If the tunnel fails to come up even when you remove the crypto that is interesting and may deserve investigation. Seeing the configuration of the physical interfaces and the complete routing logic would be a good place to start that investigation.

With crypto applied, as is described in the original post, we need to look at both the ISAKMP and IPSec negotiation and we need to look at both ends of the tunnel.

HTH

Rick

tunnel fails to come up but crypto session is QA_IDLE and stable 

no idea why but I removed the entire tunnel config form one rouer inclusive of the crypto, put it back in and now it works.  very strange. 

Hello

Glad to hear that - However strange removing the tunnel entirely and re-adding it solved the issue?

Thanks for letting the forum know for futrue referance

res
Paul

Hello Richard

Fyi - My suggestion was to test.a Gre tunnel without any ipsec

it seems now by simons post he left the VTI IPSec configuration applied 

The main reason for me requesting this test was to exclude IPSec and if the tunnel established as we now know it did the we could proceed in TS a possible IPSec issue

res

paul

I did the test w/o the crypto map and the GRE tunnel worked once I removed and added the tunnel interfaces back to the router config.  I was able to Ping across the tunnel.  

When I add teh crypto back to the tunnel is goen into up.down, but the crypto tunnel is active 

dst src state conn-id status
x.x.x.x   y.y.y.y QM_IDLE 2040 ACTIVE

It is very interesting that when configured as just GRE with no crypto that the tunnel works and when crypto is added it goes to UP/DOWN. That pretty clearly says that there is some issue with crypto. If the ISAKMP negotiation is successful then it sounds like it is an issue with the phase 2 IPSec negotiation. Can you provide the crypto configuration? It would also help if you post the address translation that is configured.

HTH

Rick

got further the tunnel came up w/o the crypto config but fails with the crypto config.  the Crypto tunnel is QM-IDLE