Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
2
Replies

Flexvpn Server/Client : %TUN-5-RECURDOWN: Tunnel0 temporarily disable

Lehrling
Level 1
Level 1

‎08-22-2022 01:01 AM

Hello everybody,

I am getting following error message in a basic FlexVpn server/Client environment.: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing. No routing implemented. Please find below the main parts of the configs. Any help greatly appreciated. Thanks.

Lehrling.                                       

 

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎08-22-2022 01:21 AM

You need to give more information, how is your environment like what device and IOS Code, some config information, what are you trying to do, any network diagram.

Look below link may help you :

https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-flap.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Lehrling
Level 1
Level 1
In response to balaji.bandi

‎08-22-2022 01:53 AM

Hello BB,

Thanks for your feedback.. and support.The Topology I am using is really basic: just one Hub/Server and Two Spokes/Clients connected through a switch (simulating Cloud).  No routing involved at all and no static routes. The client connects through the tunnel to the server and gets dynamically an Ip address allocated from the server's address pool. Main Config parts below:

==========================================

 

--------------------
Server / HUB Config
--------------------
!
aaa new-model
!
!
aaa authorization network AUTHZ local
!
!
aaa session-id common
!
no ip domain lookup
ip domain name test.com
!
crypto ikev2 authorization policy AUTHOR_POLICY
pool FLEXVPN_POOL
netmask 255.255.255.0
route set interface
route set remote ipv4 5.5.5.0 255.255.255.0
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain test.com
identity local fqdn Hub.test.com
authentication remote pre-share key 4_test
authentication local pre-share key 4_test
aaa authorization group psk list AUTHZ AUTHOR_POLICY
virtual-template 1
!
!
!
crypto ipsec transform-set IPSEC_TRANSFORM_SET ah-sha512-hmac esp-3des esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC_TRANSFORM_SET
set ikev2-profile IKEV2_PROFILE
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.168.12.5 255.255.255.0
duplex auto
speed auto
media-type rj45
!
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
ip local pool FLEXVPN_POOL 10.35.35.1 10.35.35.10
!
!
!
--------------------
Client/ Spoke Config
--------------------
!
!
aaa new-model
!
!
aaa authorization network AUTHZ local
!
!
aaa session-id common
!
!
crypto ikev2 authorization policy AUTHOR_POLICY
netmask 255.255.255.0
route set interface
route set remote ipv4 1.1.1.0 255.255.255.0
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain test.com
identity local fqdn Spoke-1.test.com
authentication remote pre-share key 4_test
authentication local pre-share key 4_test
aaa authorization group psk list AUTHZ AUTHOR_POLICY
virtual-template 1
!
crypto ikev2 client flexvpn FLEXVPN_CLIENT
peer 1 192.168.12.5
client connect Tunnel0
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile IPSEC_PROFILE
!
!
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
!
############################################## debug from the Hub/Server: Interface Virtual-template is flapping


*Aug 22 07:49:00.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Aug 22 07:49:00.444: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Hub#
*Aug 22 07:51:05.474: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Aug 22 07:51:05.474: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
Hub#
*Aug 22 07:51:05.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Aug 22 07:51:05.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up

############################################## debug from the Client/Spoke: Interface tunnel0 is flapping

*Aug 22 07:53:15.334: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXVPN_CLIENT) Client_public_addr = 192.168.12.1 Server_public_addr = 192.168.12.5
*Aug 22 07:53:15.449: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Aug 22 07:53:15.450: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 (incomplete) - looped chain attempting to stack
Spoke-1#
*Aug 22 07:53:15.457: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXVPN_CLIENT) Client_public_addr = 192.168.12.1 Server_public_addr = 192.168.12.5 Assigned_Tunnel_v4_addr = 10.35.35.2
Spoke-1#
*Aug 22 07:53:39.869: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*Aug 22 07:53:39.869: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Spoke-1#

 

 

 

0 Helpful
Customers Also Viewed These Support Documents