Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6576
Views
0
Helpful
21
Replies

Tunnel interface IP advertised into EIGRP

Go to solution
mahesh18
Level 6
Level 6

‎05-02-2013 05:24 PM - edited ‎03-07-2019 01:09 PM

Hi Everyone,

Need to understand the setup here.

There are 2 sites connected via  IPSEC  tunnel over a  Wan link.

Site A

Switch A

ASA   A

Switch A has tunnel1  configured and tunnels destination has static route pointing to ASA A.

Tunnel1 Interface IP is advertised into EIGRP.

Switch A has no EIGRP neighbours.

Sh EIGRP int shows

Tunnel1 inetrface only

Site B has following devices.

Switch B

ASA B

Here Tunnel traffic is going via IPSEC through ASA and it goes via Wan link.

I read this while building GRE tunnels is  - Tunnel Source and Destination  should always be learned outside the tunnel and not from inside the  tunnel.

Need to know the reason for advertising the tunnel interface IP to the EIGRP???

Thanks

MAhesh

Labels:
0 Helpful
21 Replies 21

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎05-05-2013 05:58 AM

Mahesh

Let me suggest these as some answers to parts of your questions:

- when configuring GRE tunnels the router must know how to reach the tunnel end point. This may be done by dynamic routing but is frequently done by static routing (which avoids potential problems with recursive routing). In your case the router has static routes to the tunnel end point, and that route points to the ASA. This makes sense since the router only knows that if it sends packets to the ASA that the data will get to the remote site (the router does not have routes that go all the way to the remote and only knows that the ASA will get it there).

- the ASA does not participate in GRE tunnel which is between the site A router and the site B router. The ASA does know about GRE traffic and can report that in its show connection all.

- I am not sure if I am reading too much into what you are saying but if show conn all does show it and show conn does not show it then I assume that the all parameter is being more inclusive than just show conn.

One other comment is that I am not sure that the tunnel is really being used. I say that based on the fact that as far as we can tell EIGRP is not working on the tunnel (since you say that site B is not running EIGRP) and that the content of the routing table which is in an earlier post does not have any route with the tunnel remote side address as the next hop. So I do not see anything in what you have shown us that will send traffic through the tunnel.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎05-05-2013 01:33 PM

Hi Rick,

Tunnel is being used as Tunnel interface is up up at both ends.

When i do sh conn all | inc GRE   on ASA

IT shows bytes incrementing rapidly so to me seems the tunnel is used also users did not complain so i believe that tunnel

is used.Let me know if i miss something on this.

May be there is some other reason for advertising the tunnel interface IP into EIGRP.As myself does not know everything about the current environment.Trying to learn myself.

Currently seems tunnel interface and destination IP have static route to ASA as next hop and GRE is passing through the

tunnel.

But when i do sh conn all | inc Tunnel interface IP on ASA  it does not show anything may be this is default behaviour.

I am really thankfull to you for replying to all my posts.Sorry may be i was not that clear earlier in  asking the questions.

Best regards

Mahesh

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh18

‎05-05-2013 05:32 PM

Mahesh

Based on what you have posted in this thread it appears to me that the tunnel is not really being used. But what has been posted is not a complete configuration or activity of the router/switch. So there may be other things in the configuration that are directing traffic over the tunnel. And there may be other reasons to advertise the tunnel interface in EIGRP.

As long as users are not complaining that is a good thing and probably means that we do not need to be further concerned about the tunnel.

I have a question about this in your post:

But when i do sh conn all | inc Tunnel interface IP on ASA  it does not show anything

When you talk about the Tunnel interface IP are you talking about 10.23.254.14? I would not expect that the ASA would see any traffic with a source or destination address of 10.23.254.14. When a GRE packet goes through the
ASA the source address is not 10.23.254.14 (tunnel IP) but is 10.23.16.4 (loopback IP and tunnel source address).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎05-05-2013 06:00 PM

Hi Rick,

I agree that EIGRP is used to something else which i do not know as of now.

When i talk about tunnel interface IP  i mean IP 10.23.254.14.

Thanks a lot for confirming that ASA will not see any traffic with tunnel interface IP.

This thing was bothering me for last few days as i am trying to learn the new environment.

Many thanks again for replying back.

Best Regards

MAhesh

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh18

‎05-05-2013 06:10 PM

Mahesh

You are very welcome. I am glad that we have arrived at a point where your questions on this topic are satisfied. It is always a pleasure to answer questions that you have submitted.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎05-05-2013 06:17 PM

Hi Rick,

I  am fully satisfied now thanks to your answers.

Regards

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Bilal Nawaz

‎05-05-2013 01:35 PM

Hi Bilal,

Many thanks for trying and implementing this in lab.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents