Solved: GRE tunnel is down, but the IPsec is up

Sudqi · ‎10-22-2024

Hello All,

We have a Crypto map under the physical interface and a GRE tunnel over this IPsec,

we have two tunnels, one is up and the second is down (protocol down), the setup is the same,

can anyone have ideas?

thanks

Sudqi · ‎10-25-2024

Dear All,

the problem was there was an ACL with any any rule in the crypto map so that the second one did not work

after removing it, it works,

below is illustrated:

View solution in original post

Rob Ingram · ‎10-22-2024

@Sudqi Do you have a keepalive setup on the GRE tunnel interface? Can you provide the configuration and the output of "show crypto ipsec sa" please.

Sudqi · ‎10-22-2024

Yes, i use keep alive in both

Aref Alsouqi · ‎10-22-2024

Are you using the same IPsec profile under the two tunnel interfaces? if so, did you add "shared" keyword at the end of the "tunnel protection ipsec profile" command?

Sudqi · ‎10-22-2024

Same profile, but i used cisco ISR and the crypto map under the physical interface

M02@rt37 · ‎10-22-2024

hello @Sudqi

We need more info please.

Check the status of the IPsec Security Associations (show crypto ispec sa). If the SA is not established for the second tunnel, it may indicate a mismatch in the encryption parameters or access control list.

As I read, yes!, if keepalives are configured, ensure that both ends are responding correctly. Mismatches in keepalive settings or a lack of responses may cause the tunnel to go down.

Also, verify that there are no issues with the physical interface (e.g., interface is up and IP address is correctly configured)...

Last, check that the routing allows the GRE tunnel endpoints to reach each other. The physical interface should have IP connectivity to the remote endpoint.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Sudqi · ‎10-22-2024

All is checked, also, ipsec is up and having decrypt traffic but no encrypt in the non working one

Aref Alsouqi · ‎10-22-2024

Seeing decaps and not encaps could suggest that the traffic is not being sent down the tunnel. How did you configure routing for this traffic?

Sudqi · ‎10-22-2024

M02@rt37 · ‎10-22-2024

Thanks fort the outputs @Sudqi

If you see decrypted traffic but no encrypted traffic on an IPsec tunnel, it indicates that traffic is reaching the local router but is not being sent out through the IPsec tunnel, suggesting a potential issue with routing or the crypto configuration.

Please, ensure that routing for the traffic is set up correctly, with either static or dynamic routing directing traffic for the remote network towards the IPsec tunnel. The crypto ACLs must match the traffic to be encrypted, with mirrored configurations on both sides of the tunnel to avoid mismatches. NAT exemption should also be in place if NAT is used, ensuring the traffic matches the crypto ACL and is exempted from NAT processing. Additionally, if using GRE or VTI, confirm that the tunnel interface is up and properly configured.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Sudqi · ‎10-22-2024

Thank you, all configuration is matched, and the route is correct, but no protocol up, I removed the tunnel and configure it again but same result

Aref Alsouqi · ‎10-22-2024

If everything seems to be configured correctly, one thing I would try would be to remove the crypto map from the interface and readd it.

Sudqi · ‎10-22-2024

Unfortunately , these connection is shared with a lot of working tunnels and can't removed, i try to removed the crypto map related to just that peer but no results found,

Aref Alsouqi · ‎10-23-2024

Could you please share your sanitized configs for review?

Sudqi · ‎10-24-2024

Thanks Aref,

there is no problem with the configuration, this is abnormal behavior and we already opened a ticket with TAC to check,

I will update the ticket once it is solved

Thank you