Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6897
Views
0
Helpful
5
Replies

Issue with Gre Ipsec tunnel

pawelzwierzynski
Level 1
Level 1

‎10-11-2014 11:01 PM - edited ‎02-21-2020 07:52 PM

Hi 

I have an issue with gre tunnel. I have to ISP, when I switch to ISP which is source of tunnel I have:

Tunnel10 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.5.0.102/30
  MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - no output interface
  Tunnel source XXX, destination XXX
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1446 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "IPSEC_PROF_DEB2")
  Last input 3d08h, output 3d08h, output hang never
  Last clearing of "show interface" counters 3d08h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 826
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     2765 packets input, 367284 bytes, 0 no buffer
     Received 0 broadcasts (504 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     5565 packets output, 1034612 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
 
When I switch to second ISP tunnel interface is up. What is the reason of this behavior?
 
Thanks in advance

 

Labels:
0 Helpful
5 Replies 5

michael o'nan
Level 4
Level 4

‎10-13-2014 09:38 AM

Post your config and someone should be able to tell you.

0 Helpful

pawelzwierzynski
Level 1
Level 1
In response to michael o'nan

‎10-13-2014 09:58 AM

!
track 100 list boolean or
 object 101
 object 102
 object 103
!
track 101 ip sla 101 reachability
 delay down 10 up 10
!
track 102 ip sla 102 reachability
 delay down 10 up 10
!
track 103 ip sla 103 reachability
 delay down 10 up 10
!
!
interface Tunnel5
 ip address 10.5.0.38 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 tunnel source isp01
 tunnel destination XXX
!
interface Tunnel10
 ip address 10.5.0.102 255.255.255.252
 tunnel source isp02
 tunnel mode ipsec ipv4
 tunnel destination XXX
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description isp02
 ip address 
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
speed auto
!
interface GigabitEthernet0/1
 description isp01-main
 ip address 
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!

ip sla auto discovery
ip sla 101
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
 frequency 20
ip sla schedule 101 life forever start-time now
ip sla 102
 icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
 frequency 20
ip sla schedule 102 life forever start-time now
ip sla 103
 icmp-echo 212.77.100.101 source-interface GigabitEthernet0/1
 frequency 20
ip sla schedule 103 life forever start-time now
!
route-map ISP02 permit 10
 match ip address NAT
 match interface GigabitEthernet0/0
!
route-map ISP01 permit 10
 match ip address NAT
 match interface GigabitEthernet0/1
!
route-map LOCAL_TRAFFIC permit 10
 match ip address 101
 set ip next-hop isp01-gateway
 set interface GigabitEthernet0/1
!

 

When ip sla switch to isp02 interface tunnel10 has protocol down. One more think which strange -  Tunnel linestate evaluation down - no output interface. ISP02 is working correctly.

0 Helpful

shine pothen
Level 3
Level 3
In response to pawelzwierzynski

‎10-13-2014 09:39 PM

Hey,

 

can you please remove IPSLA and make ISP2 manually down/Shutdown and check what is the status of Tunnel on ISP1. this tunnel should be coming up otherwise it should be some issue with the configuration .

 

 

Potha

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to shine pothen

‎10-14-2014 03:15 AM

There are inconsistencies in the configuration of the tunnels and those differences may explain the different behavior. Tunnel 10 includes this command " tunnel mode ipsec ipv4". In this mode you are specifying that you want to use IPSec to encrypt the traffic. And in this mode the tunnel line protocol is dependent upon successful negotiation of IPSec Security Associations. But since the tunnel does not specify the tunnel protection profile I suspect that it can not negotiation the SA.

 

On the other hand Tunnel 5 does not specify IPSec. It is configured as a normal GRE tunnel. And a normal GRE tunnel will be line protocol up as long as the router has a valid route to the tunnel destination.

 

It is not clear to me whether these inconsistencies are intentional. But I believe that they do explain the different behavior that you observe.

 

HTH

 

Rick

HTH

Rick
0 Helpful

pawelzwierzynski
Level 1
Level 1
In response to Richard Burts

‎10-23-2014 04:20 AM

Thank you for answer.

Tunnel 10 is working, I removed ipsec profiles for simplicity.

 

I now that tunnel5 is without ipsec and it should be up when route is valid. Routing is ok, I can ping other side. When I shut/up tunnel5 interface it is up for a while and I can ping tunnel interface from remote site. After about 10 sec - Tunnel linestate evaluation down - no output interface.

Regards

Pawel

0 Helpful
Customers Also Viewed These Support Documents