cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
0
Helpful
11
Replies
Participant

GRE tunnel down

I upgraded the ram and ios image on a cisco 5520 asa firewall and pushed a new firewall policy to the device via the Cisco Security Manager.  But now a remote VPN i had has lost the IPSEC tunnel it had onto the firewall.  The config is still in place and i can ping all the devices but when i got to the switch on the internal network where the GRE tunnel terminates it says ospf is in INIT state.

Sw#Sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.225.253.110   0   INIT/ -       00:00:36   10.218.94.41   Tunnel100

How do i bring the tunnel back up.

Kevin

Everyone's tags (4)
11 REPLIES 11
Highlighted

GRE tunnel down

Hello Kevin,

Where is the other end of the tunnel and are you able to ping  from tunnel source to tunnel destination

regards

harish

Highlighted
Participant

GRE tunnel down

Harish,

Yes i can ping the tunnel from the VPN router called rtr-NewrVPN01 which sits outside our network (outside the ASA)

rtr-NewrVPN01#ping 10.218.93.3

Source address or interface: 10.218.40.110

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/114/220 ms

I have attached part of the config of the VPN router below

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key A-shar3D-sekret address 217.x.x.x

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto map p21vpn 20 ipsec-isakmp
set peer 217.x.x.x
set transform-set 3desmd5
match address 160

interface Loopback1
ip address 10.218.40.110 255.255.255.255

interface Tunnel10
description ** Newry vpn **
bandwidth 10
ip address 10.218.94.41 255.255.255.252
ip mtu 1400
ip ospf cost 40000


tunnel source Loopback1
tunnel destination 10.218.93.3

interface Dialer0
description $FW_OUTSIDE$
ip address 81.x.x.x 255.255.255.254
ip access-group Internet-in in
crypto map p21vpn

router ospf 1
network 10.218.40.110 0.0.0.0 area 0
network 10.218.94.40 0.0.0.3 area 0

Highlighted

GRE tunnel down

hello Kevin,

are you able to ping 10.218.94.42 from the VPN router ? it would be great to get the configuration of your asa

regards

Harish.

Highlighted
Participant

Re: GRE tunnel down

Harish,

I am not able to ping from 10.218.94.41 to 10.218.94.42 - does that mean that the GRE tunnel is down.

I have attached the relevant part of the firewall config with the dialer address deleted.

regards,

Kevin

Highlighted

GRE tunnel down

Hello Kevin,

Yes that Means the tunnel is down. By the way I have checked the ASA , and I could not found the ACL 'outside_9_cryptomap' in the configuration which uses for intresting traffic

regards

Harishh.

Highlighted
Participant

Re: GRE tunnel down

Harish,

My mistake -its actually in the live config ok but i just didnt paste it.

access-list outside_9_cryptomap extended permit ip host 10.218.93.3 host 10.218.40.110

crypto map vpnmap 9 match address outside_9_cryptomap
crypto map vpnmap 9 set peer 81.x.x.x
crypto map vpnmap 9 set ikev1 transform-set ESP-3DES-MD5

regards,

Kevin

Highlighted

GRE tunnel down

Hello Kevin

from ASA can you do the following and get me the output

packet-tracer input inside  icmp 10.218.93.3  8   0  10.218.40.110

Harish.

Highlighted
Participant

Re: GRE tunnel down

Harish,

Its asking me for a code and an ID under packet tracer - any ideas what they are?

Also from what i can see QM_IDLE means that phase 1 is up, so what do i need to troubleshoot?

rtr-NewrVPN01#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                          src                     state                                     conn-id                 slot         status

217.x.x.x                  81.x.x.x             QM_IDLE                               2002                      0              ACTIVE

Highlighted
Participant

Re: GRE tunnel down

I did a compare of two configs for the firewall from both before and after the ios image was upgraded.  Only after it was upgraded did the vpn stop working.  The work isakmp has now been replaced with ikev1 in the configs.


crypto isakmp enable outside      crypto ikev1 enable outside 9610
crypto isakmp enable inside      crypto ikev1 enable inside 9611
crypto isakmp policy 10      crypto ikev1 policy 10
crypto isakmp policy 80      crypto ikev1 policy 80

asa image went from ASA Version 8.0(5) to ASA Version 8.4(4)1

Highlighted
Participant

Re: GRE tunnel down

Harish,

If the IPSEC tunnel is up, should i be checking the GRE tunnel.  I do a sh ip ospf nei on one side and get nothing.  On the other side i do a sh ip ospf nei and it says INIT state for the tunnel.  Any ideas how to correct this?

much appreciated

Kevin

Highlighted
Participant

Re: GRE tunnel down

Harish,

Finally got the answer on how to bring the GRE tunnel back in again.

show local-host [ip of your gre tunnel]

clear local-host [ip of your gre tunnel]

do this on the asa device.  Worked a treat. 

Cheers, Kevin