Hi,

good question - the interface is virtual but we also use gre-encapsulation based on ACL. ?!? :/

thank you in advance

Daniel

Daniel,

A GRE tunnel goes down when underlying source interface is down, when recursive routing is detected or due to GRE keepalives (possibly other I can't remember now).

show me the config

show run | s Tunnel|crypto

M.

cwrit01#sh run | sec Tunnel|crypto
crypto pki trustpoint subcapublic
 enrollment retry count 100
 enrollment mode ra
 enrollment url http://server.company.com:80/cgi-bin/scep
 serial-number none
 ip-address none
 crl query ldap://server.company.com
 revocation-check none
 auto-enroll 90 regenerate
crypto pki certificate chain subcapublic
 certificate 06085D02DA9F20EA3AFE
 certificate ca 1DFFE6C7000000000027
        quit
crypto isakmp policy 10
 encr 3des
 group 2
 lifetime 3600
crypto isakmp keepalive 60 5
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
 description active
 set peer xxx.xxx.xxx.xxx
 set transform-set esp-3des-md5
 set pfs group2
 match address 110
crypto map VPN 11 ipsec-isakmp
 description standby
 set peer xxx.xxx.xxx.xxx
 set transform-set esp-3des-md5
 set pfs group2
 match address 111
interface Tunnel0
 description active
 bandwidth 2048
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 no ip proxy-arp
 ip mtu 1400
 ip nbar protocol-discovery
 ip tcp adjust-mss 1260
 ip ospf cost 100
 qos pre-classify
 keepalive 5 2
 tunnel source FastEthernet0
 tunnel destination xxx.xxx.xxx.xxx
 max-reserved-bandwidth 90
interface Tunnel1
 description standby
 bandwidth 2048
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 no ip proxy-arp
 ip mtu 1400
 ip nbar protocol-discovery
 ip tcp adjust-mss 1260
 ip ospf cost 101
 qos pre-classify
 keepalive 5 2
 tunnel source FastEthernet0
 tunnel destination xxx.xxx.xxx.xxx
 max-reserved-bandwidth 90
interface Tunnel2
 description private
 bandwidth 100000
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 no ip proxy-arp
 ip ospf cost 150
 tunnel source Vlan1
 tunnel destination xxx.xxx.xxx.xxx

interface FastEthernet0
crypto map VPN

There we go... (tunnel) keepalives are failing because IPsec is not up - so the tunnel will remain up/down.

Have a look at the my doc from last year:

https://supportforums.cisco.com/docs/DOC-18522

You can base debugs and match them to your scenario ;-)

Hi Marcin,

thank you a lot. So in my opinion the error message is the following but I don't know what could be the reason?!?

Dec 30 09:09:56 MET: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=82F7AD52
Dec 30 09:09:56 MET: IPSEC(early_age_out_sibling): sibling outbound SPI DDD9A7CE expiring in 30 seconds due to it's a duplicate SA bundle.
Dec 30 09:09:56 MET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 30 09:09:56 MET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Dec 30 09:09:56 MET: IPSEC(key_engine_enable_outbound): enable SA with spi 2215657230/50
Dec 30 09:09:56 MET: IPSEC(update_current_outbound_sa): updated peer 217.65.25.225 current outbound sa to SPI 84103F0E
Dec 30 09:10:06 MET: IPSEC(delete_sa): deleting SA,

Daniel,

Good catch, it gives us the symptom but not the root cause.

Could be a veriaty of things. Ranging from mem leak to concurrent phase 2 negotiations.

What is the IOS versions on both ends and would you consider running tunnel protection instead of crypto maps (note that tunnel keepalives are not supported with tunnel protection).

M.

Branch Site: IOS Version 12.4(15)T10 (I changed that software during my first steps working on that problem)

HQ Site: IOS 12.4(17a)

Now I did an downgrade to IOS version 12.4(15)XY3. After that I configured 'GRE Tunnel Protection'. Using that configuration change from (my opinion) 'IPSec over GRE' to 'GRE Tunnel Protection' my connection is working fine!!! But why? What are the differences? What are the right labels for these different technologies and is there an document that describe advantages/disadvantages?

crypto ipsec profile TEST <-- new
 set transform-set esp-3des-md5 <-- new

interface tunnel 0 
 tunnel mode ipsec ipv4 <-- new
 tunnel protection ipsec profile TEST <-- new
 keepalive 5 2

interface 
  crypto map VPN

Thank you a lot in advance

regards Daniel

Hey,

now it is working, there was no configuration error - finally I 'only' cleared the crypto session for the brach-router on the backbone-router (headquarter).

thank you very much for your assistance

kind regards daniel

I've received similar debug output on hub router during installation of DMVPN:

Dec 19 09:10:57.862: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 19 09:10:57.862: Crypto mapdb : proxy_match
        src addr     : xxx.xxx.xxx.xxx
        dst addr     : zzz.zzz.zzz.zzz
        protocol     : 47
        src port     : 0
        dst port     : 0
Dec 19 09:10:57.862: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer zzz.zzz.zzz.zzz
Dec 19 09:10:57.862: IPSEC(create_sa): sa created,
  (sa) sa_dest= xxx.xxx.xxx.xxx, sa_proto= 50,
    sa_spi= 0x7ED0C8EC(2127612140),
    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 3031
Dec 19 09:10:57.862: IPSEC(create_sa): sa created,
  (sa) sa_dest= zzz.zzz.zzz.zzz, sa_proto= 50,
    sa_spi= 0x4F5EC18(83225624),
    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 3455
Dec 19 09:10:57.862: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=4F5EC18
Dec 19 09:10:57.862: IPSEC(early_age_out_sibling): sibling outbound SPI 4F5EC18 expiring in 30 seconds
Dec 19 09:10:57.898: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 19 09:10:57.898: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Dec 19 09:10:57.898: IPSEC(key_engine_enable_outbound): enable SA with spi 83225624/50

Spoke config:

AZS-10-17#sh run | s crypto|Tunnel
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 lifetime 1200
crypto isakmp key LukoilSnT address xxx.xxx.xxx.xxx
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set DMVPN esp-aes esp-md5-hmac
 mode transport require
crypto ipsec profile DMVPN-prof
 set transform-set DMVPN
no crypto engine onboard 0
interface Tunnel200
 description === DMVPN Kiev headquarter ===
 ip address 192.168.200.167 255.255.255.0
 no ip redirects
 ip mtu 1300
 ip nhrp authentication Lukoil32
 ip nhrp map multicast xxx.xxx.xxx.xxx
 ip nhrp map 192.168.200.2 xxx.xxx.xxx.xxx
 ip nhrp network-id 100111
 ip nhrp holdtime 360
 ip nhrp nhs 192.168.200.2
 ip nhrp registration no-unique
 ip tcp adjust-mss 1260
 ip ospf network broadcast
 ip ospf cost 1100
 ip ospf priority 0
 ip ospf mtu-ignore
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 100222
 tunnel protection ipsec profile DMVPN-prof

interface Tunnel200 on spoke is in up/up state, but NHRP negotiation and OSPF neibourship is not active:

AZS-10-17#sh dmvpn
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb 
  -----    --------------- --------------- ----- -------- -----
    1   xxx.xxx.xxx.xxx   192.168.200.2  NHRP    never     S

Spoke is Cisco 881 router with IOS 12.4(20)T3.

Such config with same IOS is correctly working on a lot of another spokes. What problem may be with this one?

Nobody has ideas?