cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6515
Views
0
Helpful
11
Replies

tunnel - line protocol not active

danielscharf
Level 1
Level 1

Hi,

I am not able to establish a site-to-site vpn connection between two sites after changing the public-ip-address on the branch-site. Crypto SAs looks good, Tunnel-interface is active but line protocol is down... there is the following error message on the branch site:

Dec 29 12:47:35 MET: ISAKMP:(2003):deleting node 1396186673 error TRUE reason "Delete Larval"

Dec 29 12:48:05 MET: ISAKMP:(2003):deleting node -1149531051 error TRUE reason "Delete Larval"

Dec 29 12:48:35 MET: ISAKMP:(2003):deleting node 1647296849 error TRUE reason "Delete Larval"

Dec 29 12:49:05 MET: ISAKMP:(2003):deleting node 1114325891 error TRUE reason "Delete Larval"

Dec 29 12:49:35 MET: ISAKMP:(2003):deleting node -1535729729 error TRUE reason "Delete Larval"

Dec 29 12:50:05 MET: ISAKMP:(2003):deleting node 1142891065 error TRUE reason "Delete Larval"

Dec 29 12:50:35 MET: ISAKMP:(2003):deleting node 1703027277 error TRUE reason "Delete Larval"

Dec 29 12:51:05 MET: ISAKMP:(2003):deleting node -535712939 error TRUE reason "Delete Larval"

Dec 29 12:51:35 MET: ISAKMP:(2003):deleting node 1414802417 error TRUE reason "Delete Larval"

Dec 29 12:52:05 MET: ISAKMP:(2003):deleting node 1940442053 error TRUE reason "Delete Larval"

Dec 29 12:52:35 MET: ISAKMP:(2003):deleting node 988611046 error TRUE reason "Delete Larval"

Dec 29 12:53:05 MET: ISAKMP:(2003):deleting node 571385005 error TRUE reason "Delete Larval"

Dec 29 12:53:35 MET: ISAKMP:(2003):deleting node 810980292 error TRUE reason "Delete Larval"

Dec 29 12:54:05 MET: ISAKMP:(2003):deleting node -798944626 error TRUE reason "Delete Larval"

Dec 29 12:54:35 MET: ISAKMP:(2003):deleting node -514930397 error TRUE reason "Delete Larval"

Dec 29 12:55:05 MET: ISAKMP:(2003):deleting node -38915392 error TRUE reason "Delete Larval"

Dec 29 12:55:35 MET: ISAKMP:(2003):deleting node -78518872 error TRUE reason "Delete Larval"

Dec 29 12:56:05 MET: ISAKMP:(2003):deleting node 1668883300 error TRUE reason "Delete Larval"

Dec 29 12:56:35 MET: ISAKMP:(2003):deleting node 1035497047 error TRUE reason "Delete Larval"

Dec 29 12:57:05 MET: ISAKMP:(2003):deleting node -1790912842 error TRUE reason "Delete Larval"

Dec 29 12:57:35 MET: ISAKMP:(2003):deleting node 2117118457 error TRUE reason "Delete Larval"

Dec 29 12:58:05 MET: ISAKMP:(2003):deleting node 509206319 error TRUE reason "Delete Larval"

Dec 29 12:58:35 MET: ISAKMP:(2003):deleting node -1585880397 error TRUE reason "Delete Larval"

Dec 29 12:59:05 MET: ISAKMP:(2003):deleting node -400366210 error TRUE reason "Delete Larval"

thank you in advance for your help

regards daniel

11 Replies 11

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Daniel,

Is that VTI or GRE interface?

VTI tunnels will remain down if negaotiation didn't go through or in other words there is no active SPI.

GRE will go down for different reasons.

Which one is it?

M.

Hi,

good question - the interface is virtual but we also use gre-encapsulation based on ACL. ?!? :/

thank you in advance

Daniel

Daniel,

A GRE tunnel goes down when underlying source interface is down, when recursive routing is detected or due to GRE keepalives (possibly other I can't remember now).

show me the config

show run | s Tunnel|crypto

M.

cwrit01#sh run | sec Tunnel|crypto

crypto pki trustpoint subcapublic

enrollment retry count 100

enrollment mode ra

enrollment url http://server.company.com:80/cgi-bin/scep

serial-number none

ip-address none

crl query ldap://server.company.com

revocation-check none

auto-enroll 90 regenerate

crypto pki certificate chain subcapublic

certificate 06085D02DA9F20EA3AFE

certificate ca 1DFFE6C7000000000027

        quit

crypto isakmp policy 10

encr 3des

group 2

lifetime 3600

crypto isakmp keepalive 60 5

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac

crypto map VPN 10 ipsec-isakmp

description active

set peer xxx.xxx.xxx.xxx

set transform-set esp-3des-md5

set pfs group2

match address 110

crypto map VPN 11 ipsec-isakmp

description standby

set peer xxx.xxx.xxx.xxx

set transform-set esp-3des-md5

set pfs group2

match address 111

interface Tunnel0

description active

bandwidth 2048

ip address xxx.xxx.xxx.xxx 255.255.255.252

no ip proxy-arp

ip mtu 1400

ip nbar protocol-discovery

ip tcp adjust-mss 1260

ip ospf cost 100

qos pre-classify

keepalive 5 2

tunnel source FastEthernet0

tunnel destination xxx.xxx.xxx.xxx

max-reserved-bandwidth 90

interface Tunnel1

description standby

bandwidth 2048

ip address xxx.xxx.xxx.xxx 255.255.255.252

no ip proxy-arp

ip mtu 1400

ip nbar protocol-discovery

ip tcp adjust-mss 1260

ip ospf cost 101

qos pre-classify

keepalive 5 2

tunnel source FastEthernet0

tunnel destination xxx.xxx.xxx.xxx

max-reserved-bandwidth 90

interface Tunnel2

description private

bandwidth 100000

ip address xxx.xxx.xxx.xxx 255.255.255.252

no ip proxy-arp

ip ospf cost 150

tunnel source Vlan1

tunnel destination xxx.xxx.xxx.xxx


interface FastEthernet0
crypto map VPN

There we go... (tunnel) keepalives are failing because IPsec is not up - so the tunnel will remain up/down.

Have a look at the my doc from last year:

https://supportforums.cisco.com/docs/DOC-18522

You can base debugs and match them to your scenario ;-)

Hi Marcin,

thank you a lot. So in my opinion the error message is the following but I don't know what could be the reason?!?

Dec 30 09:09:56 MET: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=82F7AD52

Dec 30 09:09:56 MET: IPSEC(early_age_out_sibling): sibling outbound SPI DDD9A7CE expiring in 30 seconds due to it's a duplicate SA bundle.

Dec 30 09:09:56 MET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 30 09:09:56 MET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Dec 30 09:09:56 MET: IPSEC(key_engine_enable_outbound): enable SA with spi 2215657230/50

Dec 30 09:09:56 MET: IPSEC(update_current_outbound_sa): updated peer 217.65.25.225 current outbound sa to SPI 84103F0E

Dec 30 09:10:06 MET: IPSEC(delete_sa): deleting SA,

Daniel,

Good catch, it gives us the symptom but not the root cause.

Could be a veriaty of things. Ranging from mem leak to concurrent phase 2 negotiations.

What is the IOS versions on both ends and would you consider running tunnel protection instead of crypto maps (note that tunnel keepalives are not supported with tunnel protection).

M.

Branch Site: IOS Version 12.4(15)T10 (I changed that software during my first steps working on that problem)

HQ Site: IOS 12.4(17a)

Now I did an downgrade to IOS version 12.4(15)XY3. After that I configured 'GRE Tunnel Protection'. Using that configuration change from (my opinion) 'IPSec over GRE' to 'GRE Tunnel Protection' my connection is working fine!!! But why? What are the differences? What are the right labels for these different technologies and is there an document that describe advantages/disadvantages?

crypto ipsec profile TEST <-- new

set transform-set esp-3des-md5 <-- new


interface tunnel 0
tunnel mode ipsec ipv4 <-- new

tunnel protection ipsec profile TEST <-- new

keepalive 5 2


interface
  crypto map VPN

Thank you a lot in advance

regards Daniel

Hey,

now it is working, there was no configuration error - finally I 'only' cleared the crypto session for the brach-router on the backbone-router (headquarter).

thank you very much for your assistance

kind regards daniel

I've received similar debug output on hub router during installation of DMVPN:

Dec 19 09:10:57.862: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 19 09:10:57.862: Crypto mapdb : proxy_match

        src addr     : xxx.xxx.xxx.xxx

        dst addr     : zzz.zzz.zzz.zzz

        protocol     : 47

        src port     : 0

        dst port     : 0

Dec 19 09:10:57.862: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer zzz.zzz.zzz.zzz

Dec 19 09:10:57.862: IPSEC(create_sa): sa created,

  (sa) sa_dest= xxx.xxx.xxx.xxx, sa_proto= 50,

    sa_spi= 0x7ED0C8EC(2127612140),

    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 3031

Dec 19 09:10:57.862: IPSEC(create_sa): sa created,

  (sa) sa_dest= zzz.zzz.zzz.zzz, sa_proto= 50,

    sa_spi= 0x4F5EC18(83225624),

    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 3455

Dec 19 09:10:57.862: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=4F5EC18

Dec 19 09:10:57.862: IPSEC(early_age_out_sibling): sibling outbound SPI 4F5EC18 expiring in 30 seconds

Dec 19 09:10:57.898: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 19 09:10:57.898: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Dec 19 09:10:57.898: IPSEC(key_engine_enable_outbound): enable SA with spi 83225624/50

Spoke config:

AZS-10-17#sh run | s crypto|Tunnel

crypto isakmp policy 5

encr 3des

authentication pre-share

lifetime 1200

crypto isakmp key LukoilSnT address xxx.xxx.xxx.xxx

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set DMVPN esp-aes esp-md5-hmac

mode transport require

crypto ipsec profile DMVPN-prof

set transform-set DMVPN

no crypto engine onboard 0

interface Tunnel200

description === DMVPN Kiev headquarter ===

ip address 192.168.200.167 255.255.255.0

no ip redirects

ip mtu 1300

ip nhrp authentication Lukoil32

ip nhrp map multicast xxx.xxx.xxx.xxx

ip nhrp map 192.168.200.2 xxx.xxx.xxx.xxx

ip nhrp network-id 100111

ip nhrp holdtime 360

ip nhrp nhs 192.168.200.2

ip nhrp registration no-unique

ip tcp adjust-mss 1260

ip ospf network broadcast

ip ospf cost 1100

ip ospf priority 0

ip ospf mtu-ignore

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100222

tunnel protection ipsec profile DMVPN-prof

interface Tunnel200 on spoke is in up/up state, but NHRP negotiation and OSPF neibourship is not active:

AZS-10-17#sh dmvpn

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

  -----    --------------- --------------- ----- -------- -----

    1   xxx.xxx.xxx.xxx   192.168.200.2  NHRP    never     S

Spoke is Cisco 881 router with IOS 12.4(20)T3.

Such config with same IOS is correctly working on a lot of another spokes. What problem may be with this one?

Nobody has ideas?