cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1401
Views
0
Helpful
11
Replies

GRE tunnel down

ohareka70
Level 3
Level 3

I upgraded the ram and ios image on a cisco 5520 asa firewall and pushed a new firewall policy to the device via the Cisco Security Manager.  But now a remote VPN i had has lost the IPSEC tunnel it had onto the firewall.  The config is still in place and i can ping all the devices but when i got to the switch on the internal network where the GRE tunnel terminates it says ospf is in INIT state.

Sw#Sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.225.253.110   0   INIT/ -       00:00:36   10.218.94.41   Tunnel100

How do i bring the tunnel back up.

Kevin

11 Replies 11

Hello Kevin,

Where is the other end of the tunnel and are you able to ping  from tunnel source to tunnel destination

regards

harish

Harish,

Yes i can ping the tunnel from the VPN router called rtr-NewrVPN01 which sits outside our network (outside the ASA)

rtr-NewrVPN01#ping 10.218.93.3

Source address or interface: 10.218.40.110

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/114/220 ms

I have attached part of the config of the VPN router below

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key A-shar3D-sekret address 217.x.x.x

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto map p21vpn 20 ipsec-isakmp
set peer 217.x.x.x
set transform-set 3desmd5
match address 160

interface Loopback1
ip address 10.218.40.110 255.255.255.255

interface Tunnel10
description ** Newry vpn **
bandwidth 10
ip address 10.218.94.41 255.255.255.252
ip mtu 1400
ip ospf cost 40000


tunnel source Loopback1
tunnel destination 10.218.93.3

interface Dialer0
description $FW_OUTSIDE$
ip address 81.x.x.x 255.255.255.254
ip access-group Internet-in in
crypto map p21vpn

router ospf 1
network 10.218.40.110 0.0.0.0 area 0
network 10.218.94.40 0.0.0.3 area 0

hello Kevin,

are you able to ping 10.218.94.42 from the VPN router ? it would be great to get the configuration of your asa

regards

Harish.

Harish,

I am not able to ping from 10.218.94.41 to 10.218.94.42 - does that mean that the GRE tunnel is down.

I have attached the relevant part of the firewall config with the dialer address deleted.

regards,

Kevin

Hello Kevin,

Yes that Means the tunnel is down. By the way I have checked the ASA , and I could not found the ACL 'outside_9_cryptomap' in the configuration which uses for intresting traffic

regards

Harishh.

Harish,

My mistake -its actually in the live config ok but i just didnt paste it.

access-list outside_9_cryptomap extended permit ip host 10.218.93.3 host 10.218.40.110

crypto map vpnmap 9 match address outside_9_cryptomap
crypto map vpnmap 9 set peer 81.x.x.x
crypto map vpnmap 9 set ikev1 transform-set ESP-3DES-MD5

regards,

Kevin

Hello Kevin

from ASA can you do the following and get me the output

packet-tracer input inside  icmp 10.218.93.3  8   0  10.218.40.110

Harish.

Harish,

Its asking me for a code and an ID under packet tracer - any ideas what they are?

Also from what i can see QM_IDLE means that phase 1 is up, so what do i need to troubleshoot?

rtr-NewrVPN01#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                          src                     state                                     conn-id                 slot         status

217.x.x.x                  81.x.x.x             QM_IDLE                               2002                      0              ACTIVE

I did a compare of two configs for the firewall from both before and after the ios image was upgraded.  Only after it was upgraded did the vpn stop working.  The work isakmp has now been replaced with ikev1 in the configs.


crypto isakmp enable outside      crypto ikev1 enable outside 9610
crypto isakmp enable inside      crypto ikev1 enable inside 9611
crypto isakmp policy 10      crypto ikev1 policy 10
crypto isakmp policy 80      crypto ikev1 policy 80

asa image went from ASA Version 8.0(5) to ASA Version 8.4(4)1

Harish,

If the IPSEC tunnel is up, should i be checking the GRE tunnel.  I do a sh ip ospf nei on one side and get nothing.  On the other side i do a sh ip ospf nei and it says INIT state for the tunnel.  Any ideas how to correct this?

much appreciated

Kevin

Harish,

Finally got the answer on how to bring the GRE tunnel back in again.

show local-host [ip of your gre tunnel]

clear local-host [ip of your gre tunnel]

do this on the asa device.  Worked a treat. 

Cheers, Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: