Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ipip Tunnels always up?

Reply
Thread Tools

ipip Tunnels always up?

 
 
rooy
Guest
Posts: n/a
 
      05-27-2009
Hello all

I'm trying to find a way to make a simple ipip Tunnel go down when the
remote router isn't online.

I need this because I have a remote router with two WANs directly
connected to the same remote site.
From my local router I've set up 2 Tunnels IPIP to both those WANs,
then I've set up 2 static routes to that remote site with different
"distances".
The problem is, when one of the remote WANs is down, no matter what,
both tunnels stay up according to the local router, so it still tries
to forward traffic to the tunnel with the lowest distance, even if
that is the broken link.

I even created a Tunnel with a non-existent destination ip, and the
router still says the Tunnel is up!
I also tried fiddling with the keepalives and other options inside the
tunnel configuration to no avail...

any help is greatly appreciated
TIA
 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      05-27-2009
On 27 May, 14:42, rooy <(E-Mail Removed)> wrote:
> Hello all
>
> I'm trying to find a way to make a simple ipip Tunnel go down when the
> remote router isn't online.
>
> I need this because I have a remote router with two WANs directly
> connected to the same remote site.
> From my local router I've set up 2 Tunnels IPIP to both those WANs,
> then I've set up 2 static routes to that remote site with different
> "distances".
> The problem is, when one of the remote WANs is down, no matter what,
> both tunnels stay up according to the local router, so it still tries
> to forward traffic to the tunnel with the lowest distance, even if
> that is the broken link.
>
> I even created a Tunnel with a non-existent destination ip, and the
> router still says the Tunnel is up!
> I also tried fiddling with the keepalives and other options inside the
> tunnel configuration to no avail...


Enable keepalives on the tunnel interfaces.
 
Reply With Quote
 
 
 
 
rooy
Guest
Posts: n/a
 
      05-28-2009
I already tried setting keepalives but the tunnel is always up up,
even with a random destination ip.
I tried also non standard values for the keepalive time-out and
retries settings, but nothing changes.
I don't know, maybe I'm missing the obvious

this is my simple Tunnel config:

interface Tunnel124
ip address 124.124.124.124 255.255.255.248
keepalive 10 3
tunnel source A.B.C.D (my WAN Ip)
tunnel destination 7.7.7.7 (I chose a random IP here; 7.7.7.7 won't
even respond to pings)
tunnel mode ipip

and this is the tunnel status, still Up Up even after 10 minutes:

Router#sh int tun 124
Tunnel124 is up, line protocol is up
Hardware is Tunnel
Internet address is 124.124.124.124/29
MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source A.B.C.D, destination 7.7.7.7
Tunnel protocol/transport IP/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1480 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out



>
> Enable keepalives on the tunnel interfaces.- Nascondi testo citato
>
> - Mostra testo citato -


 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      05-28-2009
On 28 May, 09:25, rooy <(E-Mail Removed)> wrote:
> I already tried setting keepalives but the tunnel is always up up,
> even with a random destination ip.
> I tried also non standard values for the keepalive time-out and
> retries settings, but nothing changes.
> I don't know, maybe I'm missing the obvious
>
> this is my simple Tunnel config:
>
> interface Tunnel124
> *ip address 124.124.124.124 255.255.255.248
> *keepalive 10 3
> *tunnel source A.B.C.D (my WAN Ip)
> *tunnel destination 7.7.7.7 (I chose a random IP here; 7.7.7.7 won't
> even respond to pings)
> *tunnel mode ipip
>
> and this is the tunnel status, still Up Up even after 10 minutes:
>
> Router#sh int tun 124
> Tunnel124 is up, line protocol is up
> * Hardware is Tunnel
> * Internet address is 124.124.124.124/29
> * MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
> * * *reliability 255/255, txload 1/255, rxload 1/255
> * Encapsulation TUNNEL, loopback not set
> * Keepalive set (10 sec), retries 3
> * Tunnel source A.B.C.D, destination 7.7.7.7
> * Tunnel protocol/transport IP/IP
> * Tunnel TTL 255
> * Fast tunneling enabled
> * Tunnel transport MTU 1480 bytes
> * Tunnel transmit bandwidth 8000 (kbps)
> * Tunnel receive bandwidth 8000 (kbps)
> * Last input never, output never, output hang never
> * Last clearing of "show interface" counters never
> * Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
> 0
> * Queueing strategy: fifo
> * Output queue: 0/0 (size/max)
> * 5 minute input rate 0 bits/sec, 0 packets/sec
> * 5 minute output rate 0 bits/sec, 0 packets/sec
> * * *0 packets input, 0 bytes, 0 no buffer
> * * *Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
> * * *0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
> * * *0 packets output, 0 bytes, 0 underruns
> * * *0 output errors, 0 collisions, 0 interface resets
> * * *0 unknown protocol drops
> * * *0 unknown protocol drops
> * * *0 output buffer failures, 0 output buffers swapped out
>
>
>
> > Enable keepalives on the tunnel interfaces.- Nascondi testo citato


I have used this in anger and it does work.

interface Tunnel5
ip address 1.1.1.1 255.255.255.0
tunnel source Dialer0
tunnel destination 2.2.2.2
tunnel mode ipip

Tunnel5 1.1.1.1 YES manual
up up
OK this is what we expect.

interface Tunnel5
ip address 1.1.1.1 255.255.255.0
keepalive 10 3 ! #############
tunnel source Dialer0
tunnel destination 2.2.2.2
tunnel mode ipip

! wait a long time

Tunnel5 1.1.1.1 YES manual
up up

Hmmm.

interface Tunnel5
ip address 1.1.1.1 255.255.255.0
keepalive 10 3
tunnel source Dialer0
tunnel destination 2.2.2.2
! change to GRE - the default - not ipip

Tunnel5 1.1.1.1 YES manual
up down

OK, looks like IP in IP tunnels do not support keepalives.
I have always just used GRE which is the default,
sorry for the confusion.

By the way the debug output seems a bit confusing.

router#sh deb
General-purpose tunnel:
Tunnel keepalive debugging is on

May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
(len=24 ttl=255), counter=29

All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.
c870-advipservicesk9-mz.124-15.T7.bin.

 
Reply With Quote
 
Dan Lanciani
Guest
Posts: n/a
 
      05-29-2009
In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) (bod43) writes:

| By the way the debug output seems a bit confusing.
|
| router#sh deb
| General-purpose tunnel:
| Tunnel keepalive debugging is on
|
| May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
| (len=3D24 ttl=3D255), counter=3D29
|
| All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.

That's the inner (i.e., return) packet. See:

http://www.cisco.com/en/US/tech/tk82...8048cffc.shtml

Dan Lanciani
ddl@danlan.*com
 
Reply With Quote
 
rooy
Guest
Posts: n/a
 
      05-29-2009

> OK, looks like IP in IP tunnels do not support keepalives.
> I have always just used GRE which is the default,
> sorry for the confusion.
>


Thanks! I tried without ipip and it works as expected now.
I'll keep this limitation in mind next time, and I'll probably stick
with the default GRE from now on.
 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      05-29-2009
On 29 May, 04:46, ddl@danlan.*com (Dan Lanciani) wrote:
> In article <(E-Mail Removed)..com>, (E-Mail Removed) (bod43) writes:
> | May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
> | (len=3D24 ttl=3D255), counter=3D29
> |
> | All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.
>
> That's the inner (i.e., return) packet. *See:
>
> http://www.cisco.com/en/US/tech/tk82...s_tech_note091...


Thanks. I wasn't losing all that much sleep over it
however it is always good to have a mystery solved

The description at the link suggests to me that
the keepalive may be returned even if there is
no remote tunnel interface configured. I may have
to do some reading on GRE.

 
Reply With Quote
 
Dan Lanciani
Guest
Posts: n/a
 
      05-29-2009
In article <(E-Mail Removed)>, (E-Mail Removed) (bod43) writes:
| On 29 May, 04:46, ddl@danlan.*com (Dan Lanciani) wrote:
| > In article <(E-Mail Removed)=
| .com>, (E-Mail Removed) (bod43) writes:
| > | May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
| > | (len=3D3D24 ttl=3D3D255), counter=3D3D29
| > |
| > | All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.
| >
| > That's the inner (i.e., return) packet. =A0See:
| >
| > http://www.cisco.com/en/US/tech/tk82...s_tech_note091...
|
| Thanks. I wasn't losing all that much sleep over it
| however it is always good to have a mystery solved
|
| The description at the link suggests to me that
| the keepalive may be returned even if there is
| no remote tunnel interface configured.

There has to be a matching (source/destination and key if configured)
remote tunnel interface for the return packet to be decapsulated; however,
it may be possible to have that interface (mis)configured such that the
tunnel doesn't really work even though the keepalive does. Of course,
that's not what keepalives are meant to guard against and for most
purposes they do what you want.

Dan Lanciani
ddl@danlan.*com
 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      05-30-2009
On 29 May, 22:02, ddl@danlan.*com (Dan Lanciani) wrote:

> for most
> purposes they do what you want.


That seems to sum up the cisco philosophy, from
the point of view of a user of the kit.
))
 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      05-30-2009
On 29 May, 09:09, rooy <(E-Mail Removed)> wrote:
> > OK, looks like IP in IP tunnels do not support keepalives.
> > I have always just used GRE which is the default,
> > sorry for the confusion.

>
> Thanks! I tried without ipip and it works as expected now.
> I'll keep this limitation in mind next time, and I'll probably stick
> with the default GRE from now on.


It's always a good plan to stick with the cisco defaults.
They do have a clue

Of course if you understand what is going on and
have specific requirenents then do whatever you want.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GRE Tunnel Mode vs IPIP John Ryan Cisco 1 02-07-2011 04:48 PM
Number of IKE Tunnels and IPSec Tunnels philbo30 Cisco 1 04-12-2007 02:16 AM
Tunnels accesing other tunnels on concentrator ljorg Cisco 0 11-22-2006 01:43 PM
Dynamicailly Creating IPIP Tunnels Paul Thomas Cisco 2 04-07-2006 08:21 PM
Trying to create a CSS box that is always is always the width of an image placed inside it (and no wider) Deryck HTML 4 06-22-2004 08:25 PM



Advertisments