Solved: Re: Route Map and GRE Tunnel

Balthazer · ‎02-20-2018

Hi all,

I Need advice about configure Route-map IP SLA fail over and GRE Tunnel VPN to Connect other site.

i have cisco 2911 and i say that "router internet". i have config route map and ip sla to implement failover connection. because i have 3 ISP. 1 Fiber Optik, 1 Wireless and 1 Dialup. and for connection to other site, i have config GRE Tunnel.

For internet i don't have problem. Segment of user can access internet according according to route map setting. some user to isp 1 or isp 2 and other to isp 3.

But the problem in the gre tunnel. i have config gre tunnel like this.

R1-Cisco R2 - Mikrotik

int tunnel 1 int tunnel 1

ip add 192.168.33.1/30 ip add 192.168.33.2/30

tunnel source 44.44.44.22 tunnel source 10.10.10.44

tunnel destination 10.10.10.44 tunnel-destination 44.44.44.22

IP LAN 192.168.6.0/24 IP LAN 192.168.4.0/24

R1 and R2 can communication via ip address tunnel.

but the problem in the users. user can't ping to ip address tunnel R2.

When user traceroute to ip LAN in the R2 192.168.4.0/24 in the R1 User routed to internet no routed to ip address tunnel. even though i have config ip route static via gre tunnel.

but, when ip ping from router internet i can access IP LAN in the R2.

Please Advice.

Thanks,

SA

Deepak Kumar · ‎02-21-2018

You havet to edit your "INTERNET_ACCESS", SCBD,MAXINDO & SPEEDY (required) ACL as:

ip access-list extended INTERNET_ACCESS
10 deny ip 172.16.61.0 0.0.0.255 192.168.4.0 0.0.0.255
12 deny ip 172.16.61.0 0.0.0.255 192.168.41.0 0.0.0.255
14 deny ip 172.16.61.0 0.0.0.255 192.168.42.0 0.0.0.255

16 deny ip 172.16.62.0 0.0.0.255 192.168.4.0 0.0.0.255
18 deny ip 172.16.62.0 0.0.0.255 192.168.41.0 0.0.0.255
20 deny ip 172.16.62.0 0.0.0.255 192.168.42.0 0.0.0.255

22 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
24 deny ip 192.168.5.0 0.0.0.255 192.168.41.0 0.0.0.255
26 deny ip 192.168.5.0 0.0.0.255 192.168.42.0 0.0.0.255

28 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.6.0 0.0.0.255 192.168.41.0 0.0.0.255
32 deny ip 192.168.6.0 0.0.0.255 192.168.42.0 0.0.0.255

34 deny ip 192.168.40.0 0.0.0.255 192.168.4.0 0.0.0.255
36 deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255
38 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

40 deny ip 192.168.61.0 0.0.0.255 192.168.4.0 0.0.0.255
42 deny ip 192.168.61.0 0.0.0.255 192.168.41.0 0.0.0.255
44 deny ip 192.168.61.0 0.0.0.255 192.168.42.0 0.0.0.255

100 permit ip any any

Please add your required source and destination as above format.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Deepak Kumar · ‎02-20-2018

Hi,

I think you are missing a deny permit in NAT acl for the Mikrotik router subnet or any issue with routing.

Please share the NAT configuration from your "Internet Router" (Cisco) and routing details.

And please also check any acl configuration to block traffic.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Balthazer · ‎02-21-2018

Hi Deepak Kumar,

thank you for your respon.

how i can use deny permit in NAT ?

this is routing in the router internet.

ip nat inside source route-map ISP2 interface FastEthernet0/0/0 overload
ip nat inside source route-map ISP4 interface FastEthernet0/0/1 overload
ip nat inside source route-map ISP5 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 55.53.35.44 4 track 10
ip route 0.0.0.0 0.0.0.0 44.44.44.22 3 track 20
ip route 0.0.0.0 0.0.0.0 Dialer1 5 track 30
ip route 172.16.61.0 255.255.255.0 172.16.63.1
ip route 172.16.62.0 255.255.255.0 172.16.63.1
ip route 192.168.4.0 255.255.255.0 192.168.33.2
ip route 192.168.41.0 255.255.255.0 192.168.33.2
ip route 192.168.6.0 255.255.255.0 172.16.63.1

Thansk,

SA

Deepak Kumar · ‎02-21-2018

Hi,

There is no ACL and route map information included. Kindly share complete running configuration.

Regards,

Deepa Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Balthazer · ‎02-21-2018

Hi Deepa Kumar,

this is full config.

Building configuration...

Current configuration : 12186 bytes
!
! Last configuration change at 07:34:55 UTC Thu Feb 22 2018 by admin2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRJ-RTR-INET-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$9WrU$JVk.8Kras1oYrxck7Jf540
!
aaa new-model
!
!
aaa authentication login ANYCONNECT-VPN-USER-LIST local
aaa authentication ppp default local
aaa authorization network default local
!
aaa attribute list Graha
attribute type addr 11.0.0.5 service ppp protocol ip
!
aaa attribute list ACUM
attribute type addr 11.0.0.6 service ppp protocol ip
!
aaa attribute list BDG
attribute type addr 11.0.0.7 service ppp protocol ip
!
aaa attribute list SBY
attribute type addr 11.0.0.8 service ppp protocol ip
!
!
!
!
!
aaa session-id common
clock timezone UTC 7 0
!
ip cef
!
!
!
!
!
!
no ip domain lookup
ip inspect name FW_INSPECT tcp
ip inspect name FW_INSPECT udp
ip inspect name FW_INSPECT rtsp
ip inspect name FW_INSPECT h323
ip inspect name FW_INSPECT netshow
ip inspect name FW_INSPECT ftp
ip inspect name FW_INSPECT sqlnet
ip inspect name FW_INSPECT dns
ip inspect name FW_INSPECT http
ip inspect name FW_INSPECT https
ip inspect name FW_INSPECT sip
ip inspect name FW_INSPECT ssh
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 2
!
!
!
crypto pki trustpoint TP-self-signed-404552302
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-404552302
revocation-check none
rsakeypair TP-self-signed-404552302
!
!
crypto pki certificate chain TP-self-signed-404552302
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303435 35323330 32301E17 0D313530 37313130 34353130
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3430 34353532
33303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
8F0A61B1 EE78EA14 9F99DA50 1F8E2DF3 0561AC69 A9E667B0 5CD4CC1C 481EF562
E5E7710E DBDA742A 238C89DC 4954CE7A 794237A2 781CFD53 FF9A75A2 16B5C15E
B2F5B9AF 717664F9 563DF8EA 238FBEBB 9BC530DF 650C4685 BC4A89C0 6AAC1266
0D164A27 03E56083 2119E1A7 34C83FA3 FB2793CA FB6C92A4 6B78760A 0126D2B3
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 1680141F B5D70ACE E7048CEE 51B6D655 8AA42A0E FE784430 1D060355
1D0E0416 04141FB5 D70ACEE7 048CEE51 B6D6558A A42A0EFE 7844300D 06092A86
4886F70D 01010505 00038181 0070AD20 CBB8F2D6 5687974A 2A378B59 7F0124B4
FF28A835 2FC1636A 389FC0D6 E091C7C3 DAD6462F 30FB7400 5711FEB0 E1ED266D
CC46B4AB 6BFB64FF 00BC565D 7418DBCA EB8621FD 4F85C72B EFABA78A E9CD8AA8
235D41A0 DFF1EDA3 3079A520 807DFF79 3779DE01 0E525DA4 8BD4968C 7B023390
7AC26912 930F4CAA CC10BB1D 33
quit
license udi pid CISCO2911/K9 sn FGL184310KJ
license boot module c2900 technology-package securityk9
!
!
object-group network ACCESS_OFFICE365
!
object-group network ASTINET_INET
!
object-group network MANAGEMENT
host 192.168.6.57
host 172.16.63.1
!
object-group network SCBD_INET
!
object-group network SERVER
host 192.168.6.251
host 192.168.6.248
host 192.168.6.51
host 192.168.6.25
host 192.168.6.225
!
object-group network USER_INET
!
username admin2015 secret 5

!
redundancy
!
!
!
!
!
!
track 10 ip sla 1 reachability
delay down 10 up 1
!
track 20 ip sla 2 reachability
delay down 10 up 1
!
track 30 ip sla 3 reachability
delay down 10 up 1
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.08009-k9.pkg sequence 1
!
!
!
!
!
!
!
!
interface Loopback1
ip address 11.0.0.1 255.255.255.0
ip access-group permit in
!
interface Tunnel1
ip address 192.168.33.1 255.255.255.0
ip tcp adjust-mss 1436
tunnel source FastEthernet0/0/0
tunnel destination 10.10.10.44
!

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ***conneected to coreswitch Cisco Catalyst 3750/LAN***
ip address 172.16.63.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map SLR
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ***port for cable physical connection to Speedy ***
no ip address
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/2
description ***Not Active***
ip address 55.53.35.45 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/0/0
description ***Maxindo ISP***
ip address 44.44.44.23 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/0/1
description *** ISP SCBD NEW ***
ip address 55.53.35.45 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1
description ***gateway for AnyConnect VPN***
ip address 10.0.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Virtual-Template2
ip unnumbered Loopback1
peer default ip address pool test
no keepalive
ppp encrypt mppe auto required
ppp authentication pap chap ms-chap
ppp ipcp dns 192.168.6.51 8.8.8.8
!
interface Dialer1
description ***dialer for Speedy ***
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxx@xxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxx@xxxxx password 0 xxxxxx
no cdp enable
!
!
router eigrp 14
network 10.0.11.0 0.0.0.255
network 172.16.62.0 0.0.0.3
redistribute static
!
router ospf 10
redistribute static
network 172.16.63.0 0.0.0.3 area 0
network 192.168.13.0 0.0.0.255 area 0
!
ip local pool ANYCONNECT-POOL 10.0.11.11 10.0.11.254
ip local pool test 11.0.0.11 11.0.0.254
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat inside source route-map ISP2 interface FastEthernet0/0/0 overload
ip nat inside source route-map ISP4 interface FastEthernet0/0/1 overload
ip nat inside source route-map ISP5 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 55.53.35.44 4 track 10
ip route 0.0.0.0 0.0.0.0 44.44.44.22 track 20
ip route 0.0.0.0 0.0.0.0 Dialer1 5 track 30
ip route 172.16.61.0 255.255.255.0 172.16.63.1
ip route 172.16.62.0 255.255.255.0 172.16.63.1
ip route 192.168.1.0 255.255.255.0 172.16.61.1
ip route 192.168.2.0 255.255.255.0 192.168.34.2
ip route 192.168.4.0 255.255.255.0 192.168.33.2
ip route 192.168.5.0 255.255.255.0 172.16.63.1
ip route 192.168.6.0 255.255.255.0 172.16.63.1
ip route 192.168.21.0 255.255.255.0 192.168.34.2
ip route 192.168.22.0 255.255.255.0 192.168.34.2
ip route 192.168.23.0 255.255.255.0 192.168.34.2
ip route 192.168.26.0 255.255.255.0 11.0.0.5
ip route 192.168.26.0 255.255.255.0 192.168.34.2
ip route 192.168.40.0 255.255.255.0 172.16.63.1
ip route 192.168.41.0 255.255.255.0 192.168.33.2
ip route 192.168.42.0 255.255.255.0 192.168.33.2
ip route 192.168.43.0 255.255.255.0 11.0.0.8
ip route 192.168.61.0 255.255.255.0 172.16.63.1
ip route 192.168.62.0 255.255.255.0 172.16.63.1
ip route 192.168.63.0 255.255.255.0 172.16.63.1
ip route 192.168.64.0 255.255.255.0 172.16.63.1
ip route 192.168.66.0 255.255.255.0 172.16.63.1
ip route 192.168.68.0 255.255.255.0 172.16.63.1
ip route 192.168.69.0 255.255.255.0 172.16.63.1
!
ip access-list extended ACL_INTERNET_ASTINET
permit ip object-group ASTINET_INET any
ip access-list extended ACL_INTERNET_SCBD
permit ip object-group SCBD_INET any
ip access-list extended INTERNET_ACCESS
permit ip any any
ip access-list extended Internet_UserAll
permit ip any any
ip access-list extended MAXINDO
permit ip 192.168.64.0 0.0.0.255 any
permit ip host 192.168.6.239 any
permit ip 192.168.41.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.3 any
permit ip host 192.168.6.222 any
permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended PAT_LOCAL_IP_FOR_ASTINET
ip access-list extended PAT_LOCAL_IP_FOR_SCBD
ip access-list extended PAT_LOCAL_IP_FOR_SPEEDY
ip access-list extended SCBD
permit ip 192.168.63.0 0.0.0.255 any
permit ip 192.168.66.0 0.0.0.255 any
permit ip 192.168.69.0 0.0.0.255 any
permit ip 192.168.68.0 0.0.0.255 any
permit ip 192.168.62.0 0.0.0.255 any
permit ip 192.168.61.0 0.0.0.255 any
ip access-list extended SPEEDY
permit ip 192.168.33.0 0.0.0.3 any
permit ip 192.168.61.0 0.0.0.255 any
permit ip host 192.168.6.51 any
ip access-list extended VPN
permit ip any 10.0.11.0 0.0.0.255
permit ip any 11.0.0.0 0.0.0.255
permit ip any any
ip access-list extended testaltros
permit ip any any
!
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet0/0/0
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-interface Dialer1
ip sla schedule 3 life forever start-time now
access-list 112 deny ip any 192.168.40.0 0.0.0.255
access-list 112 deny ip any 192.168.41.0 0.0.0.255
access-list 113 permit ip any any
!
route-map SLR permit 50
match ip address SCBD
set ip next-hop verify-availability 55.53.35.44 15 track 10
set ip next-hop 55.53.35.44
!
route-map SLR permit 60
match ip address MAXINDO
set ip next-hop verify-availability 44.44.44.22 12 track 20
set ip next-hop 44.44.44.22
!
route-map SLR permit 70
match ip address SPEEDY
set ip next-hop verify-availability 22.11.22.1 17 track 30
set ip next-hop 22.11.22.1
!
route-map ISP2 permit 10
match ip address INTERNET_ACCESS
match interface FastEthernet0/0/0
!
route-map ISP4 permit 10
match ip address INTERNET_ACCESS
match interface FastEthernet0/0/1
!
route-map ISP5 permit 10
match ip address INTERNET_ACCESS
match interface Dialer1
!
!
snmp-server community 14lkmpc RO
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^CCCCC
WARNING:
You are about to access a private network. All access is logged.
Unauthorized users will be prosecuted to the fullest extent of the law.
^C
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
!

webvpn context ANYCONNECT-CONTEXT
virtual-template 1
aaa authentication list ANYCONNECT-VPN-USER-LIST
gateway GW-1
max-users 50
!
ssl authenticate verify all
inservice
!
policy group ANYCONNECT-PG
functions svc-enabled
functions svc-required
svc address-pool "ANYCONNECT-POOL" netmask 255.255.255.0
svc dns-server primary 192.168.6.51
default-group-policy ANYCONNECT-PG
!
end

Thank You,

SA

Deepak Kumar · ‎02-21-2018

You havet to edit your "INTERNET_ACCESS", SCBD,MAXINDO & SPEEDY (required) ACL as:

ip access-list extended INTERNET_ACCESS
10 deny ip 172.16.61.0 0.0.0.255 192.168.4.0 0.0.0.255
12 deny ip 172.16.61.0 0.0.0.255 192.168.41.0 0.0.0.255
14 deny ip 172.16.61.0 0.0.0.255 192.168.42.0 0.0.0.255

16 deny ip 172.16.62.0 0.0.0.255 192.168.4.0 0.0.0.255
18 deny ip 172.16.62.0 0.0.0.255 192.168.41.0 0.0.0.255
20 deny ip 172.16.62.0 0.0.0.255 192.168.42.0 0.0.0.255

22 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
24 deny ip 192.168.5.0 0.0.0.255 192.168.41.0 0.0.0.255
26 deny ip 192.168.5.0 0.0.0.255 192.168.42.0 0.0.0.255

28 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.6.0 0.0.0.255 192.168.41.0 0.0.0.255
32 deny ip 192.168.6.0 0.0.0.255 192.168.42.0 0.0.0.255

34 deny ip 192.168.40.0 0.0.0.255 192.168.4.0 0.0.0.255
36 deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255
38 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

40 deny ip 192.168.61.0 0.0.0.255 192.168.4.0 0.0.0.255
42 deny ip 192.168.61.0 0.0.0.255 192.168.41.0 0.0.0.255
44 deny ip 192.168.61.0 0.0.0.255 192.168.42.0 0.0.0.255

100 permit ip any any

Please add your required source and destination as above format.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Balthazer · ‎02-22-2018

thank you deepak kumar, this is work for me.

but i config in the acl isp provider (access list SCBD,MAXINDO & SPEEDY) not in the INTERNET_ACCESS.

thank you verry much..

Deepak Kumar · ‎02-22-2018

I am happy to know that it was helpful for you.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Balthazer · ‎02-22-2018

hi Deepak kumar,

yesterday gre tunnel is running well.

but today down again.

the problem is Public ip in the router internet (cisco) can't ping from R2.

if i ping from R2, ping answered from others public ip in the router internet.

this is the capture.

[surya@Surabaya-Router] > ping 44.44.44.23
SEQ HOST SIZE TTL TIME STATUS
0 55.53.35.45 56 248 22ms
1 55.53.35.45 56 248 20ms
2 55.53.35.45 56 248 18ms
3 55.53.35.45 56 248 20ms
4 55.53.35.45 56 248 19ms
sent=5 received=5 packet-loss=0% min-rtt=18ms avg-rtt=19ms max-rtt=2

i do no why this is happens, please advice.

Thanks,

SA

Deepak Kumar · ‎02-22-2018

Can you check the Interface tunnel status?

and

check the status of FastEthernet0/0/0??

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Balthazer · ‎02-22-2018

Hi Deepak Kumar,

this is for int status.

BRJ-RTR-INET-01#sh ip int br
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 172.16.63.2 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 115.85.81.50 YES NVRAM administratively down down
FastEthernet0/0/0 44.44.44.23 YES manual up up
FastEthernet0/0/1 55.53.35.45 YES manual up up
Dialer1 22.11.22.2 YES IPCP up up
Loopback1 11.0.0.1 YES NVRAM up up
NVI0 172.16.63.2 YES unset up up
Tunnel0 192.168.33.1 YES manual up up
Tunnel2 192.168.34.1 YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 10.0.11.1 YES NVRAM up up
Virtual-Access3 unassigned YES unset up up
Virtual-Access4 unassigned YES unset up up
Virtual-Template1 10.0.11.1 YES NVRAM down down
Virtual-Template2 11.0.0.1 YES unset down down

BRJ-RTR-INET-01#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.33.1/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source fastethernet 0/0/0, destination 10.10.10.44
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 23:16:47
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 158
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
35466 packets input, 3243745 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
39004 packets output, 3384079 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

Thanks,

SA

Deepak Kumar · ‎02-23-2018

Hi,

I checked logs and found that there is no traffic on the tunnel

"5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec"

Can you check the

Tracert <destination IP>

from your one of client machine.

and IP SLA status.

Regards,

Deepak Kumar

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Balthazer · ‎02-23-2018

Hi,

thats right, GRE Tunnel is down. because ip source can't ping from other router.

if i ping tunnel source from external router like this.

[surya@Surabaya-Router] > ping 44.44.44.23
SEQ HOST SIZE TTL TIME STATUS
0 55.53.35.45 56 248 22ms
1 55.53.35.45 56 248 20ms
2 55.53.35.45 56 248 18ms
3 55.53.35.45 56 248 20ms
4 55.53.35.45 56 248 19ms
sent=5 received=5 packet-loss=0% min-rtt=18ms avg-rtt=19ms max-rtt=2

reply from different public ip.

this is your request. ip sla status

BRJ-RTR-INET-01#sh ip sla sum
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending

ID Type Destination Stats Return Last
(ms) Code Run
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 RTT=20 OK 22 seconds ag
o

*2 icmp-echo 8.8.8.8 RTT=92 OK 21 seconds ag
o

IPSLAs Latest Operation Statistics

IPSLA operation id: 1
Latest RTT: 16 milliseconds
Latest operation start time: 15:01:27 UTC Fri Feb 23 2018
Latest operation return code: OK
Number of successes: 32
Number of failures: 3
Operation time to live: Forever

IPSLA operation id: 2
Latest RTT: 20 milliseconds
Latest operation start time: 15:01:28 UTC Fri Feb 23 2018
Latest operation return code: OK
Number of successes: 35
Number of failures: 0
Operation time to live: Forever

thanks,

SA

Deepak Kumar · ‎02-24-2018

I can see that tunnel interface is up

BRJ-RTR-INET-01#sh int tun0
Tunnel0 is up, line protocol is up

But you mentioned that there is reply from another interface of remote device.

Can you verify any routing changes has made in your side or remote side?

And What is tunnel status on remote location?

Regards,

DeepaK Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!