04-27-2007 08:27 AM
We do have an IPSec tunnels created on a 2621 router. Recently we are facing a problem. The EIGRP relationship (the Tunnels) are going down at a particular time every day (around 10:45 am local time daily)
The configuration on the router is as follows:
Router_IPsec#sh runn
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxxx address x.x.x.x
crypto isakmp key xxxx address x.x.x.x
!
crypto ipsec transform-set myset-3des esp-3des esp-md5-hmac
crypto ipsec transform-set myset-3des-comp esp-3des esp-md5-hmac comp-lzs
!
crypto map vpn 20 ipsec-isakmp
description IPSEC Tunnel to Bracknell -Backup path
set peer x.x.x.x
set transform-set myset-3des
match address 120
crypto map vpn 30 ipsec-isakmp
description ipsec tunnel to Boston
set peer x.x.x.x
set transform-set myset-3des
match address 130
!
interface Loopback0
description Ipsec Tunnel to Bracknell - Backup path
ip address 131.x.x.166 255.255.255.255
!
interface Loopback1
ip address 131.x.x.43 255.255.255.255
!
interface Tunnel0
description IPSEC Tunnel to Bracknell - Backup path
ip unnumbered FastEthernet0/0
ip accounting output-packets
ip mtu 1400
ip policy route-map clear-df
keepalive 3 3
tunnel source Loopback0
tunnel destination 131.101.83.167
!
interface Tunnel1
ip unnumbered FastEthernet0/0
ip accounting output-packets
ip mtu 1400
ip policy route-map clear-df
load-interval 30
keepalive 3 3
tunnel source 131.101.83.43
tunnel destination 131.101.83.42
!
!
interface FastEthernet0/0
description Munich LAN subnets
ip address 131.x.x.253 255.255.255.0 secondary
ip address 131.x.x.253 255.255.255.0
ip route-cache flow
speed 100
full-duplex
interface FastEthernet0/1
description DSL connection to internet
ip address x.x.x.x 255.255.255.248
ip route-cache flow
duplex auto
speed auto
crypto map vpn
!
router eigrp 101
redistribute connected
passive-interface FastEthernet0/1
network 131.101.0.0
distribute-list 10 out Tunnel0
distribute-list 20 out Tunnel1
distance 180 131.101.50.235 0.0.0.0
no auto-summary
!
ip route 131.101.83.42 255.255.255.255 x.x.x.x
ip route 131.101.83.167 255.255.255.255 x.x.x.x
ip route 198.51.251.194 255.255.255.255 x.x.x.x
ip route 212.133.24.86 255.255.255.255 x.x.x.x
!
!
access-list 10 permit 131.101.192.0 0.0.0.255
access-list 10 permit 131.101.193.0 0.0.0.255
access-list 10 permit 131.101.228.0 0.0.0.255
access-list 20 permit 131.101.192.0 0.0.0.255
access-list 20 permit 131.101.228.0 0.0.0.255
access-list 30 permit 131.101.192.0 0.0.0.255
access-list 40 permit 131.101.228.0 0.0.0.255
access-list 104 permit ip any any
access-list 120 remark Bracknell GRE Tunnel
access-list 120 permit gre host 131.101.83.166 host 131.101.83.167
access-list 130 permit gre host 131.101.83.43 host 131.101.83.42
route-map clear-df permit 10
match ip address 104
set ip df 0
!
Actually this setup is working fine for quite some days and we are even tracking the internet link which has no drops at all. But only the tunnels are going down at times on this router that too like a planned periodic time (daily 10:45 a.m. local time)
Please help me out asap.
04-28-2007 10:17 AM
Hi,
Sometimes this issue is related to the bandwidth of your tunnel, this is most probably your case here, please try to re-adjust the bandwidth to something higher... e.g.
Router_IPsec(config)# interface tunnel 0
Router_IPsec(config-if)# bandwidth 10000
Router_IPsec(config-if)# interface tunnel 1
Router_IPsec(config-if)# bandwidth 10000
Let me know how it goes after that, and please rate this post if it was useful!
06-03-2007 07:59 PM
That doesn't make sense to me. Bandwidth is used for metric calculation, and would have no impact on tunnel bouncing... you could set it to 1 or 1000000 and nothing would change other than the route metric.
06-04-2007 08:13 AM
I have seen something like this before and it was to do with the isakmp policy lifetime... If you do a show crypto isakmp policy, what is the lifetime set to?
06-04-2007 12:08 PM
06-05-2007 12:35 PM
Hi all,
Sorry for the delay in response. I just got it rectified recently and the prime issue was with the service provider. Ours is a DSL internet connection and they have got some scheduled switchover task in one of their devices which was affecting. I've got them the time adjusted to the early hours and hence no more interruption to my users.
Regards,
Subhash.
06-05-2007 08:45 AM
i was also facing same problem with my network, check if someone testing with EIGRP Neighbors at any other location.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide