Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
0
Helpful
8
Replies

Tunnel is down

Go to solution
shafhuss
Level 1
Level 1

‎03-28-2018 05:28 AM - edited ‎03-12-2019 05:09 AM

Hi All,

 

I have two service providers terminating on same ISR router. We have IPSEC s2s vpn tunnel working from ISP Provider-A, but when we switch to ISP Provider-B, tunnel does not come up. 

Note: We need to shut GigabitEthernet0/0 and "no-shut" FastEthernet0/0/1. 

 

can some one help what need to be done here. here is the config.

 

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key temp!@$%drI4n! address z.z.z.z
crypto isakmp key temp@d!789%2016 address 10.11.23.30
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set NI-VPN esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set GREIPSEC esp-3des esp-sha-hmac
mode transport
!


crypto map GREoIPSEC local-address Loopback20
crypto map GREoIPSEC 1 ipsec-isakmp
description **** DRNI-to IND-BLR-MPLS ****
set peer 10.11.23.30
set transform-set GREIPSEC
match address NI-BLR-GRE
!
crypto map NI-BSH-VPN 20 ipsec-isakmp
description **** NI-IND to NI_DR_VPN ****
set peer a.b.c.d
set transform-set NI-VPN
match address NI-BLR-DR
reverse-route
!

interface FastEthernet0/0/1
description ** Reliance-NEW-VPN**
ip address y.y.y.y 255.255.255.252
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
shutdown
duplex full
speed 100
no mop enabled
crypto map NI-BSH-VPN


interface GigabitEthernet0/0
description *** Airtel-50Mbps-LL_Internet link***
bandwidth 51200
ip address x.x.x.x 255.255.255.252
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex full
speed 100
no mop enabled
crypto map NI-BSH-VPN

 

 

 

ip access-list extended NI-BLR-DR
permit ip 172.24.0.0 0.0.0.255 host 10.129.200.16
permit ip 172.24.0.0 0.0.0.255 host 10.229.200.16
permit ip 172.24.11.0 0.0.0.255 10.129.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.119.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.130.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.228.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.229.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.128.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.190.0.0 0.0.255.255
permit ip 172.24.11.0 0.0.0.255 10.99.4.0 0.0.0.255
permit ip 172.24.11.0 0.0.0.255 10.123.19.0 0.0.0.255
permit ip 172.24.11.0 0.0.0.255 host 10.70.71.8
permit ip 172.24.11.0 0.0.0.255 host 10.70.72.8

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shafhuss
Level 1
Level 1
In response to Philip D'Ath

‎03-29-2018 07:23 PM

It was observed default route was tracked by ip sla feature. Post restarting the IP SLA w.r.t reliance PE, we were able to ping the Peer IP and also tunnel came up.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-28-2018 05:38 AM

Is the remote end of the VPN configured to support both of your public IP addresses?

 

I assume you can get to the Internet when either circuit is up (to verify the routing is correct). 

 

 

ps. No one should be using 3DES in new deployments. Use AES instead.

0 Helpful

Go to solution
shafhuss
Level 1
Level 1
In response to Philip D'Ath

‎03-28-2018 05:41 AM

Hi Philip,

 

Thank you for looking into it.

 

When Airtel link (current active) is up, we are able to ping the remote peer, but when new link is made up, we are unable to ping the remote peer.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to shafhuss

‎03-28-2018 05:43 AM

Have you got your default correctly configured for both links? Perhaps you only have a default route configured for your primary link.
0 Helpful

Go to solution
shafhuss
Level 1
Level 1
In response to Philip D'Ath

‎03-28-2018 05:48 AM

When we shut the current active link, we also change the default route to the gateway of new link. 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to shafhuss

‎03-28-2018 05:50 AM

If you can ping the remote peer via one circuit and not the other then this suggest some kind of basic routing issue (perhaps even a NAT configuration issue).
0 Helpful

Go to solution
shafhuss
Level 1
Level 1
In response to shafhuss

‎03-28-2018 05:52 AM

Yes, i understood that, that change will also happen when the current link is shut.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to shafhuss

‎03-28-2018 05:54 AM

If ping is not working - then it sounds like the change being made is not correct.


Either that, or the remote end is using a firewall and and only allowing traffic from your primary IP address.
0 Helpful

Go to solution
shafhuss
Level 1
Level 1
In response to Philip D'Ath

‎03-29-2018 07:23 PM

It was observed default route was tracked by ip sla feature. Post restarting the IP SLA w.r.t reliance PE, we were able to ping the Peer IP and also tunnel came up.

0 Helpful
Customers Also Viewed These Support Documents