cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5228
Views
0
Helpful
21
Replies

Tunnel interface IP advertised into EIGRP

mahesh18
Level 6
Level 6

Hi Everyone,

Need to understand the setup here.

There are 2 sites connected via  IPSEC  tunnel over a  Wan link.

Site A

Switch A

ASA   A

Switch A has tunnel1  configured and tunnels destination has static route pointing to ASA A.

Tunnel1 Interface IP is advertised into EIGRP.

Switch A has no EIGRP neighbours.

Sh EIGRP int shows

Tunnel1 inetrface only

Site B has following devices.

Switch B

ASA B

Here Tunnel traffic is going via IPSEC through ASA and it goes via Wan link.

I read this while building GRE tunnels is  - Tunnel Source and Destination  should always be learned outside the tunnel and not from inside the  tunnel.

Need to know the reason for advertising the tunnel interface IP to the EIGRP???

Thanks

MAhesh

10 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Mahesh

I do not understand your description of the environment. But I think I do understand your question. So let me suggest this as an answer. It does create a problem if the tunnel destination address is advertised via EIGRP through the tunnel. So the fact that the switch has a static route for the destination prevents this problem. (Remember that a static route is preferred over an EIGRP route for the same destination. ).

I have configured several customers with hub and spoke networks with GRE tunnels connecting the spoke to the hub. I usually run EIGRP over the tunnel so that the hub will dynamically learn the routes from the hub. And I always configure static routes for the tunnel destination so that it is not learned via EIGRP.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

View solution in original post

Hello Mahesh18

You can advertise networks in eigrp - with an eigrp neighbor relationship  based on  the tunnel ip address?

This is possible and i have seen it used regularly with othe igp's also, The one caution is that you need to make sure of recursive routing- which is the when the tunnel scr/dest address are learnt via the tunnel itself - I think its possible this is what you have read about -

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Mahesh

Usually your questions are clear and easy to understand. But I am having difficulty understanding this one. In part of your post you talk about IPSec tunnel and in part you talk about GRE tunnel. Am I correct in understanding that the tunnel you are talking about is a GRE tunnel with a crypto map to use IPSec to encrypt the tunnel?

Also your post talks about ASA. But as far as I know the ASA does not support GRE tunnels. So are the tunnels from switch to switch and pass through the ASA? Please clarify which device is doing the tunnels and doing EIGRP.

In general the reason to have an EIGRP network statement for the tunnel interface is to enable running EIGRP through the tunnel. This is very similar to what you do if you have a point to point serial link. You would put a network statement which matches the serial interface. This does advertise the subnet of the serial but it also enables EIGRP to run over the tunnel.

In your case it sounds like it was intended to run EIGRP through the tunnel so that each site would learn routes from the other site. But it sounds like it is not working. If there are no EIGRP neighbors then you are not learning any EIGRP routes. You tell us that site A is configured with EIGRP on the tunnel. Is it possible that site B is not configured with EIGRP on the tunnel?

I am not sure how much this will help you. If you still have questions about it please clarify what is the issue and what is the topology of the network.

HTH

Rick

HTH

Rick

View solution in original post

Hello Mahesh, There are three things here if I understood correctly:

  1. Physical interfaces from switch to ASA.
  2. Tunnel interface (GRE) from switch to switch
  3. Between your ASA's you have an IPSEC

So I'll attempt answering your questions

As ASA has static routing only so need to know if EIGRP routes of tunnel interface can go via IPSEC tunnel of ASA?

Answer is, yes, between the switches ONLY within the GRE tunnel, NOT the IPSEC VPN, the IPSEC is only providing a secure transport mechanism. Since there is a GRE tunnel between switch to switch, the ASA will not participate in any of these activities since its within the tunnel itself that is between the switches only. The ASA does not intercept within this GRE tunnel and inject any kind of routing protocol participation, even though it is running within the IPSEC vpn.

Also need to confirm that for this tunnel to work EIGRP routes of  tunnel interface at site A  should reach to site B  right?

You do not need EIGRP routes for the tunnel interface to reach side B. You can use static routing, as long as the tunnel sources and destinations know how to get to each other. Please look at my example I posted above! I achieved setting up a GRE tunnel ONLY with static routing. No EIGRP required.

But if you wanted to use EIGRP you would do this between them

EIGRP neighbour and flow would be like this:

Starting from Site A

EIGRP from Switch A to ASA

then from ASA to ASA site B

ASA to Switch B

If Site B is not learning EIGRP routes from Site A  via ASA  can it be possible it is learning that routes over some other wan Link?

No - not necessarily. It can be static routing towards the ASA or via the ASA. But it might be that it could be going out some other WAN link. I highly doubt it since you are able to see the GRE traffic through the ASA's.

Which was the reason why I asked you if you could kindly post the config of the tunnel interface and a copy of show ip route.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Hello, thank you for posting the output. This confirms that on this side, we are only using static routes to achieve the GRE tunnel.

Do you have any other questions with regards to this?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Hello Mahesh, I didn't quite understand the questions in your post.

It does not seem like EIGRP is active or being used at the moment. So lets just forget about EIGRP at the moment.

interface Tunnel1
bandwidth 9
ip address 10.23.254.14 255.255.255.252
delay 50000
tunnel source Loopback1
tunnel destination 10.23.16.4

interface Loopback1
ip address 10.24.31.4 255.255.255.255

Gateway of last resort is 172.31.110.19 to network 0.0.0.0
S       10.23.16.4/32 [1/0] via 172.31.110.19

This switch has a static route. On the tunnel 1 interface, the destination is 10.23.16.4, you have correctly defined a static route towards the tunnel destination, and it is going towards your ASA. As long as there is end to end connectivity the GRE tunnel should be 'up'.

I have set this up only with static routes. I haven't got an ASA but I just wanted to demonstrate what i am trying to explain.

I have created a VPN between both "ASAs" and a GRE tunnel between both of the switches only using static routing. Attached is the config. You only need a static route and tell the router how to get to the tunnel destination.

The GRE tunnel is the 192.168.1.X network

VPN between the ASA's is on 100.0.0.X network

SwitchA's tunnel source Lo1 is 99.0.0.1

SwitchB's tunnel source Lo1 is 11.0.0.1

ASA_SITEA#show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-ACTIVE    

Peer: 100.0.0.2 port 500

  IKE SA: local 100.0.0.1/500 remote 100.0.0.2/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

ASA_SITEB#show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-ACTIVE    

Peer: 100.0.0.1 port 500

  IKE SA: local 100.0.0.2/500 remote 100.0.0.1/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

This is the IPSEC VPN between the ASA's

The GRE running within the IPSEC VPN from SWITCHA to SWITCHB is up and I am able to ping both sides:

SITEB_SWITCHB#show run int t1

Building configuration...

Current configuration : 119 bytes

!

interface Tunnel1

ip address 192.168.1.2 255.255.255.252

tunnel source Loopback0

tunnel destination 99.0.0.1

end

SITEB_SWITCHB#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/72 ms

SITEB_SWITCHB#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 2.2.2.1 to network 0.0.0.0

     2.0.0.0/30 is subnetted, 1 subnets

C       2.2.2.0 is directly connected, FastEthernet0/0

     99.0.0.0/32 is subnetted, 1 subnets

S       99.0.0.1 [1/0] via 2.2.2.1

     11.0.0.0/32 is subnetted, 1 subnets

C       11.0.0.1 is directly connected, Loopback0

     192.168.1.0/30 is subnetted, 1 subnets

C       192.168.1.0 is directly connected, Tunnel1

S*   0.0.0.0/0 [1/0] via 2.2.2.1

SITEB_SWITCHB#

Here you can see that only with the use of static routing I have been able to achieve a VPN between the ASA's and a GRE tunnel between the switches.

With EIGRP or any other routing protocol, we can achieve the same thing, the benefits I can see with using a routing protocol, is that any LAN networks off of switches will automatically be advertised between LAN to LAN.

You can enable EIGRP within the GRE tunnel - it will be better to do this in my opinion

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Mahesh

I would like to come at this discussion from a slightly different direction.

It is quite possible to run EIGRP over a GRE tunnel. It is not possible to run EIGRP over a purely IPSec "tunnel". (I enclose tunnel in quotes here to acknowledge that while we frequently speak of IPSec tunnels that in fact there is no tunnel interface associated with IPSec.) The important difference here is the ability to support multicast traffic. GRE does support sending multicast through the tunnel. But IPSec is for unicast traffic and therefore can not send EIGRP.

So in your original post site A is running EIGRP through the GRE tunnel, and the GRE tunnel goes through the ASA and the ASA is running an IPSec connection to site B. The ASA does not know anything about EIGRP because that is encapsulated in the GRE tunnel. The ASA does know about GRE but not about what is carried inside the GRE tunnel.

Even though site A has configured EIGRP it is not working. The reason it is not working is that site B has not configured EIGRP. Since there is no EIGRP neighbor the router is not sending any routing updates and is not receiving any routing updates. The router is sending EIGRP hello messages but no routing updates.

Since EIGRP is not learning any routes then both sites must depend on static routes. I would suggest that either site A should remove EIGRP from the tunnel configuration or that site B should add EIGRP to the tunnel configuration.

HTH

Rick

HTH

Rick

View solution in original post

Hello Mahesh, the ASA don't do GRE tunnels, the static routes are there only because the ASA knows how to get to a particular destination.

GRE (Generic Routing Encapsulation) or IP tunneling (IP encapsulation)  is a technique that encapsulates IP datagrams within IP datagrams. GRE is a technique that allows datagrams to be encapsulated into IP packets and then redirected to an intermediate host. At this intermediate destination, the datagrams are decapsulated and then routed to the next leg. In doing so, the trip to the intermediate host appears to the inner datagrams as one hop.   The general outline of GRE can be found in RFC 1701 and RFC 1702.

I am not able to comment on why the show conn doesnt show the GRE but the sh conn all  | inc GRE command does. Not sure. Perhaps show conn is only active connects to the ASA rather than through it?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Mahesh

Let me suggest these as some answers to parts of your questions:

- when configuring GRE tunnels the router must know how to reach the tunnel end point. This may be done by dynamic routing but is frequently done by static routing (which avoids potential problems with recursive routing). In your case the router has static routes to the tunnel end point, and that route points to the ASA. This makes sense since the router only knows that if it sends packets to the ASA that the data will get to the remote site (the router does not have routes that go all the way to the remote and only knows that the ASA will get it there).

- the ASA does not participate in GRE tunnel which is between the site A router and the site B router. The ASA does know about GRE traffic and can report that in its show connection all.

- I am not sure if I am reading too much into what you are saying but if show conn all does show it and show conn does not show it then I assume that the all parameter is being more inclusive than just show conn.

One other comment is that I am not sure that the tunnel is really being used. I say that based on the fact that as far as we can tell EIGRP is not working on the tunnel (since you say that site B is not running EIGRP) and that the content of the routing table which is in an earlier post does not have any route with the tunnel remote side address as the next hop. So I do not see anything in what you have shown us that will send traffic through the tunnel.

HTH

Rick

HTH

Rick

View solution in original post

Mahesh

Based on what you have posted in this thread it appears to me that the tunnel is not really being used. But what has been posted is not a complete configuration or activity of the router/switch. So there may be other things in the configuration that are directing traffic over the tunnel. And there may be other reasons to advertise the tunnel interface in EIGRP.

As long as users are not complaining that is a good thing and probably means that we do not need to be further concerned about the tunnel.

I have a question about this in your post:

But when i do sh conn all | inc Tunnel interface IP on ASA  it does not show anything

When you talk about the Tunnel interface IP are you talking about 10.23.254.14? I would not expect that the ASA would see any traffic with a source or destination address of 10.23.254.14. When a GRE packet goes through the
ASA the source address is not 10.23.254.14 (tunnel IP) but is 10.23.16.4 (loopback IP and tunnel source address).

HTH

Rick

HTH

Rick

View solution in original post

21 Replies 21

Richard Burts
Hall of Fame
Hall of Fame

Mahesh

I do not understand your description of the environment. But I think I do understand your question. So let me suggest this as an answer. It does create a problem if the tunnel destination address is advertised via EIGRP through the tunnel. So the fact that the switch has a static route for the destination prevents this problem. (Remember that a static route is preferred over an EIGRP route for the same destination. ).

I have configured several customers with hub and spoke networks with GRE tunnels connecting the spoke to the hub. I usually run EIGRP over the tunnel so that the hub will dynamically learn the routes from the hub. And I always configure static routes for the tunnel destination so that it is not learned via EIGRP.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

Hi Rick,

All the tunnel traffic is going via ASA  which has no routing  only static routes to destination of tunnel.

So i need to know when we advertise  tunnel interface IP to EIGRP where this traffic is flowing ,like need to know the traffic

path of  EIGRP?

Is the tunnel interface IP have also need to reach across the wan?

Is there any way i can find it?

Thanks

MAhesh

Hello Mahesh,

Normally, tunnel source and destination is the OUTSIDE interface of the device - towards the respective destinations.

All that is required is routes towards the destination. We just need to know how to get to the other side right?

As long as the ASA's know of the routes you just need to specify a topology like this:

This is only to cater for creating the tunnel.

If we had a LAN that is off of the switches, it would make sense to advertise the LAN or similar sorts to the other side. The ASA would have no idea of this traffic, since it would be going via the tunnel. Only the endpoints (switches would know of this)

This way, both the INSIDE networks now know how to get to each other via Tunnel interfaces. This can also be done via static routing too.

But it does not make sense that you have no neighbors - this I assume, means that EIGRP is not benefiting you in any way at the moment.

If you have no neighbors then what is the use of it? Do a show ip route, do you see any EIGRP learned routes? If not, then it must all be working with static routing by the sounds of it.

Perhaps show us the show ip route output of each side and the running config of the tunnel interfaces please.

I hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hello Mahesh18

You can advertise networks in eigrp - with an eigrp neighbor relationship  based on  the tunnel ip address?

This is possible and i have seen it used regularly with othe igp's also, The one caution is that you need to make sure of recursive routing- which is the when the tunnel scr/dest address are learnt via the tunnel itself - I think its possible this is what you have read about -

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Mahesh

Usually your questions are clear and easy to understand. But I am having difficulty understanding this one. In part of your post you talk about IPSec tunnel and in part you talk about GRE tunnel. Am I correct in understanding that the tunnel you are talking about is a GRE tunnel with a crypto map to use IPSec to encrypt the tunnel?

Also your post talks about ASA. But as far as I know the ASA does not support GRE tunnels. So are the tunnels from switch to switch and pass through the ASA? Please clarify which device is doing the tunnels and doing EIGRP.

In general the reason to have an EIGRP network statement for the tunnel interface is to enable running EIGRP through the tunnel. This is very similar to what you do if you have a point to point serial link. You would put a network statement which matches the serial interface. This does advertise the subnet of the serial but it also enables EIGRP to run over the tunnel.

In your case it sounds like it was intended to run EIGRP through the tunnel so that each site would learn routes from the other site. But it sounds like it is not working. If there are no EIGRP neighbors then you are not learning any EIGRP routes. You tell us that site A is configured with EIGRP on the tunnel. Is it possible that site B is not configured with EIGRP on the tunnel?

I am not sure how much this will help you. If you still have questions about it please clarify what is the issue and what is the topology of the network.

HTH

Rick

HTH

Rick

Hi Rick,

Let me explain more as currently  i am also trying to understand the environment here.

Yes Switches at each side have config of GRE tunnel only and they pass through ASA.

ASA has IPSEC tunnel and this IPSEC tunnel carries the GRE tunnel inside it.

Tunnels are through Switch to Switch at each side.

Switch is doing Tunnel and EIGRP.

When on ASA i do sh conn all GRE it shows me the GRE connection going via ASA.

IT shows entry for tunnel source and destination.

Currently everythng is working fine.But i am trying to understand this environment.

As ASA has static routing only so need to know if EIGRP routes of tunnel interface can go via IPSEC tunnel of ASA?

Also need to confirm that for this tunnel to work EIGRP routes of  tunnel interface at site A  should reach to site B  right?

If Site B is not learning EIGRP routes from Site A  via ASA  can it be possible it is learning that routes over some other wan Link?

Site B --   Switch B is not running EIGRP.

To reach GRE tunnel destination it points to ASA as next hop same as Site A setup.

Hope my questions make sense.

Thanks

MAhesh

Hello Mahesh, There are three things here if I understood correctly:

  1. Physical interfaces from switch to ASA.
  2. Tunnel interface (GRE) from switch to switch
  3. Between your ASA's you have an IPSEC

So I'll attempt answering your questions

As ASA has static routing only so need to know if EIGRP routes of tunnel interface can go via IPSEC tunnel of ASA?

Answer is, yes, between the switches ONLY within the GRE tunnel, NOT the IPSEC VPN, the IPSEC is only providing a secure transport mechanism. Since there is a GRE tunnel between switch to switch, the ASA will not participate in any of these activities since its within the tunnel itself that is between the switches only. The ASA does not intercept within this GRE tunnel and inject any kind of routing protocol participation, even though it is running within the IPSEC vpn.

Also need to confirm that for this tunnel to work EIGRP routes of  tunnel interface at site A  should reach to site B  right?

You do not need EIGRP routes for the tunnel interface to reach side B. You can use static routing, as long as the tunnel sources and destinations know how to get to each other. Please look at my example I posted above! I achieved setting up a GRE tunnel ONLY with static routing. No EIGRP required.

But if you wanted to use EIGRP you would do this between them

EIGRP neighbour and flow would be like this:

Starting from Site A

EIGRP from Switch A to ASA

then from ASA to ASA site B

ASA to Switch B

If Site B is not learning EIGRP routes from Site A  via ASA  can it be possible it is learning that routes over some other wan Link?

No - not necessarily. It can be static routing towards the ASA or via the ASA. But it might be that it could be going out some other WAN link. I highly doubt it since you are able to see the GRE traffic through the ASA's.

Which was the reason why I asked you if you could kindly post the config of the tunnel interface and a copy of show ip route.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

Thanks for answering the questions.

Here is ouput

interface Tunnel1

So there is static route to tunnel destination towards the ASA.

Thanks

Mahesh

Message was edited by: mahesh parmar

Hello, thank you for posting the output. This confirms that on this side, we are only using static routes to achieve the GRE tunnel.

Do you have any other questions with regards to this?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

So tunnel interface IP and tunnel source have static route to same IP right?

Is this correct behaviour?

On ASA   when i did sh conn | inc tunnel interface  IP it does  not show any connections is this right?

subnet 10 is advertised into eigrp then has no link with traffic flow of GRE right?

Thanks

Mahesh

Hello Mahesh, I didn't quite understand the questions in your post.

It does not seem like EIGRP is active or being used at the moment. So lets just forget about EIGRP at the moment.

interface Tunnel1
bandwidth 9
ip address 10.23.254.14 255.255.255.252
delay 50000
tunnel source Loopback1
tunnel destination 10.23.16.4

interface Loopback1
ip address 10.24.31.4 255.255.255.255

Gateway of last resort is 172.31.110.19 to network 0.0.0.0
S       10.23.16.4/32 [1/0] via 172.31.110.19

This switch has a static route. On the tunnel 1 interface, the destination is 10.23.16.4, you have correctly defined a static route towards the tunnel destination, and it is going towards your ASA. As long as there is end to end connectivity the GRE tunnel should be 'up'.

I have set this up only with static routes. I haven't got an ASA but I just wanted to demonstrate what i am trying to explain.

I have created a VPN between both "ASAs" and a GRE tunnel between both of the switches only using static routing. Attached is the config. You only need a static route and tell the router how to get to the tunnel destination.

The GRE tunnel is the 192.168.1.X network

VPN between the ASA's is on 100.0.0.X network

SwitchA's tunnel source Lo1 is 99.0.0.1

SwitchB's tunnel source Lo1 is 11.0.0.1

ASA_SITEA#show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-ACTIVE    

Peer: 100.0.0.2 port 500

  IKE SA: local 100.0.0.1/500 remote 100.0.0.2/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

ASA_SITEB#show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-ACTIVE    

Peer: 100.0.0.1 port 500

  IKE SA: local 100.0.0.2/500 remote 100.0.0.1/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

This is the IPSEC VPN between the ASA's

The GRE running within the IPSEC VPN from SWITCHA to SWITCHB is up and I am able to ping both sides:

SITEB_SWITCHB#show run int t1

Building configuration...

Current configuration : 119 bytes

!

interface Tunnel1

ip address 192.168.1.2 255.255.255.252

tunnel source Loopback0

tunnel destination 99.0.0.1

end

SITEB_SWITCHB#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/72 ms

SITEB_SWITCHB#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 2.2.2.1 to network 0.0.0.0

     2.0.0.0/30 is subnetted, 1 subnets

C       2.2.2.0 is directly connected, FastEthernet0/0

     99.0.0.0/32 is subnetted, 1 subnets

S       99.0.0.1 [1/0] via 2.2.2.1

     11.0.0.0/32 is subnetted, 1 subnets

C       11.0.0.1 is directly connected, Loopback0

     192.168.1.0/30 is subnetted, 1 subnets

C       192.168.1.0 is directly connected, Tunnel1

S*   0.0.0.0/0 [1/0] via 2.2.2.1

SITEB_SWITCHB#

Here you can see that only with the use of static routing I have been able to achieve a VPN between the ASA's and a GRE tunnel between the switches.

With EIGRP or any other routing protocol, we can achieve the same thing, the benefits I can see with using a routing protocol, is that any LAN networks off of switches will automatically be advertised between LAN to LAN.

You can enable EIGRP within the GRE tunnel - it will be better to do this in my opinion

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Mahesh

I would like to come at this discussion from a slightly different direction.

It is quite possible to run EIGRP over a GRE tunnel. It is not possible to run EIGRP over a purely IPSec "tunnel". (I enclose tunnel in quotes here to acknowledge that while we frequently speak of IPSec tunnels that in fact there is no tunnel interface associated with IPSec.) The important difference here is the ability to support multicast traffic. GRE does support sending multicast through the tunnel. But IPSec is for unicast traffic and therefore can not send EIGRP.

So in your original post site A is running EIGRP through the GRE tunnel, and the GRE tunnel goes through the ASA and the ASA is running an IPSec connection to site B. The ASA does not know anything about EIGRP because that is encapsulated in the GRE tunnel. The ASA does know about GRE but not about what is carried inside the GRE tunnel.

Even though site A has configured EIGRP it is not working. The reason it is not working is that site B has not configured EIGRP. Since there is no EIGRP neighbor the router is not sending any routing updates and is not receiving any routing updates. The router is sending EIGRP hello messages but no routing updates.

Since EIGRP is not learning any routes then both sites must depend on static routes. I would suggest that either site A should remove EIGRP from the tunnel configuration or that site B should add EIGRP to the tunnel configuration.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for your more explanation on this.

One last thing to confirm on this is that  if we have tunnel interface has also static route to ASA.

When i do sh conn all  | inc GRE  it shows GRE tunnel and destination IP.

When i do sh conn it does not show tunnel interface connection is this because this IP is encapsulated inside the GRE

tunnel?

Regards

MAhesh

Hello Mahesh, the ASA don't do GRE tunnels, the static routes are there only because the ASA knows how to get to a particular destination.

GRE (Generic Routing Encapsulation) or IP tunneling (IP encapsulation)  is a technique that encapsulates IP datagrams within IP datagrams. GRE is a technique that allows datagrams to be encapsulated into IP packets and then redirected to an intermediate host. At this intermediate destination, the datagrams are decapsulated and then routed to the next leg. In doing so, the trip to the intermediate host appears to the inner datagrams as one hop.   The general outline of GRE can be found in RFC 1701 and RFC 1702.

I am not able to comment on why the show conn doesnt show the GRE but the sh conn all  | inc GRE command does. Not sure. Perhaps show conn is only active connects to the ASA rather than through it?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Review Cisco Networking for a $25 gift card