10-11-2014 11:01 PM - edited 02-21-2020 07:52 PM
Hi
I have an issue with gre tunnel. I have to ISP, when I switch to ISP which is source of tunnel I have:
10-13-2014 09:38 AM
Post your config and someone should be able to tell you.
10-13-2014 09:58 AM
!
track 100 list boolean or
object 101
object 102
object 103
!
track 101 ip sla 101 reachability
delay down 10 up 10
!
track 102 ip sla 102 reachability
delay down 10 up 10
!
track 103 ip sla 103 reachability
delay down 10 up 10
!
!
interface Tunnel5
ip address 10.5.0.38 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source isp01
tunnel destination XXX
!
interface Tunnel10
ip address 10.5.0.102 255.255.255.252
tunnel source isp02
tunnel mode ipsec ipv4
tunnel destination XXX
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description isp02
ip address
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description isp01-main
ip address
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip sla auto discovery
ip sla 101
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
frequency 20
ip sla schedule 101 life forever start-time now
ip sla 102
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
frequency 20
ip sla schedule 102 life forever start-time now
ip sla 103
icmp-echo 212.77.100.101 source-interface GigabitEthernet0/1
frequency 20
ip sla schedule 103 life forever start-time now
!
route-map ISP02 permit 10
match ip address NAT
match interface GigabitEthernet0/0
!
route-map ISP01 permit 10
match ip address NAT
match interface GigabitEthernet0/1
!
route-map LOCAL_TRAFFIC permit 10
match ip address 101
set ip next-hop isp01-gateway
set interface GigabitEthernet0/1
!
When ip sla switch to isp02 interface tunnel10 has protocol down. One more think which strange - Tunnel linestate evaluation down - no output interface. ISP02 is working correctly.
10-13-2014 09:39 PM
Hey,
can you please remove IPSLA and make ISP2 manually down/Shutdown and check what is the status of Tunnel on ISP1. this tunnel should be coming up otherwise it should be some issue with the configuration .
Potha
10-14-2014 03:15 AM
There are inconsistencies in the configuration of the tunnels and those differences may explain the different behavior. Tunnel 10 includes this command " tunnel mode ipsec ipv4". In this mode you are specifying that you want to use IPSec to encrypt the traffic. And in this mode the tunnel line protocol is dependent upon successful negotiation of IPSec Security Associations. But since the tunnel does not specify the tunnel protection profile I suspect that it can not negotiation the SA.
On the other hand Tunnel 5 does not specify IPSec. It is configured as a normal GRE tunnel. And a normal GRE tunnel will be line protocol up as long as the router has a valid route to the tunnel destination.
It is not clear to me whether these inconsistencies are intentional. But I believe that they do explain the different behavior that you observe.
HTH
Rick
10-23-2014 04:20 AM
Thank you for answer.
Tunnel 10 is working, I removed ipsec profiles for simplicity.
I now that tunnel5 is without ipsec and it should be up when route is valid. Routing is ok, I can ping other side. When I shut/up tunnel5 interface it is up for a while and I can ping tunnel interface from remote site. After about 10 sec - Tunnel linestate evaluation down - no output interface.
Regards
Pawel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide