GRE Tunnel up/up Cannot ping tunnel interface

Discussion in 'Cisco' started by tsvanduyn@yahoo.com, Mar 6, 2006.

  1. Guest

    I setup a GRE tunnel between two cisco 2621 routers. They are both
    running IOS c2600-advsecurityk9-mz.123-6c.bin. When I do a show ip int
    brief they both show up/up. I can ping the tunnel address the router
    is on but not the far end. This is true for both routers. I can also
    ping both the source and dest. of the tunnel from both routers. So I
    know that there shouldn't be any recurvise routing problems. I have
    looked all over the cisco site trying to find some troubleshooting
    information but, I don't see anything that applies. Any help would be
    appreciated.

    Here is a copy of my configs:

    Corp Router:
    interface Tunnel65
    ip address 10.15.65.1 255.255.255.0
    tunnel source FastEthernet0/0
    tunnel destination 200.62.203.198
    interface FastEthernet0/0
    ip address 60.197.140.33 255.255.255.248
    no ip mroute-cache
    duplex auto
    speed auto
    ip route 200.62.203.198 255.255.255.255 60.197.140.34

    Dest. Router
    interface Tunnel65
    ip address 10.15.65.65 255.255.255.0
    tunnel source Dialer2
    tunnel destination 60.197.140.33
    interface Dialer2
    ip address negotiated (Stays the same-Really a static)
    no ip redirects
    no ip unreachables
    ip mtu 1492
    ip nat outside
    ip inspect to_internet out
    encapsulation ppp
    dialer pool 2
    dialer-group 2
    no cdp enable
    ppp authentication chap pap callin
    ppp pap sent-username *******@static.sbcglobal.net password 7
    *************************
    ip route 60.197.140.33 255.255.255.255 dialer2

    Thanks,
    Travis
     
    , Mar 6, 2006
    #1
    1. Advertising

  2. Charlie Root Guest

    <> wrote in message
    news:...
    >I setup a GRE tunnel between two cisco 2621 routers. They are both
    > running IOS c2600-advsecurityk9-mz.123-6c.bin. When I do a show ip int
    > brief they both show up/up. I can ping the tunnel address the router


    By default, a tunnel will stay up as long as there is route entry to reach
    destination of the tunnel. If you would like tunnel to actually reflect its
    operational capability you can enable 'keepalive' command in interface
    tunnel configuration.

    > is on but not the far end. This is true for both routers. I can also
    > ping both the source and dest. of the tunnel from both routers. So I
    > know that there shouldn't be any recurvise routing problems. I have
    > looked all over the cisco site trying to find some troubleshooting
    > information but, I don't see anything that applies. Any help would be
    > appreciated.
    >
    > Here is a copy of my configs:
    >

    [...]

    > interface Dialer2
    > ip address negotiated (Stays the same-Really a static)

    ^^^^
    the problem is here - this address is not known at the time when Tunnel
    interface is created or lost at during interface reset (unfortunatelly it
    won't be communicated back to the tunnel interface). I have just tried to
    reproduce this scenario and it was working as long as I had statically
    configured IP on the interface used as source for the tunnel. As soon as I
    reconfigured it to be 'ip addr nego' and got interface reset, and 'sh int
    tun0' displays that source address is 0.0.0.0. And I can ping destination of
    the tunnel, but tunnel is down (because I enabled keepalive). As soon as I
    change ip of the wan interface back to static tunnel comes up.

    So my suggestion to you would be to have some static IP as source of the
    tunnel. I always try to use loopback as source of a tunnel interface.

    I've put some output here -
    http://citadel.nobulus.com/~ilya/notes/archives/000018.html - so that you
    can compare it with what you're seeing.

    Hope it helps.

    Kind regards,
    iLya
     
    Charlie Root, Mar 6, 2006
    #2
    1. Advertising

  3. Guest

    Ilya,

    Thank you very much for you reply. I added the keepalives to both
    router configs and now they are reporting tunnel is up/down. Which
    makes sense because I cannot ping the far end of the tunnel interfaces.
    Your explaination about the ip add negociated also makes sense but, the
    static address I get from my provider is only issued with the ip
    address negotiated command. Is there a way around this? Have you
    ever setup GRE tunnels with nhrp? I read that that kind of setup would
    support negotiated addresses. Again, thank you for all your input.

    Travis
     
    , Mar 6, 2006
    #3
  4. Guest

    Ilya,

    Thank you very much for you reply. I added the keepalives to both
    router configs and now they are reporting tunnel is up/down. Which
    makes sense because I cannot ping the far end of the tunnel interfaces.
    Your explaination about the ip add negociated also makes sense but, the
    static address I get from my provider is only issued with the ip
    address negotiated command. Is there a way around this? Have you
    ever setup GRE tunnels with nhrp? I read that that kind of setup would
    support negotiated addresses. Again, thank you for all your input.

    Travis
     
    , Mar 6, 2006
    #4
  5. Charlie Root Guest

    <> wrote in message
    news:...
    > Ilya,
    >
    > Thank you very much for you reply. I added the keepalives to both
    > router configs and now they are reporting tunnel is up/down. Which
    > makes sense because I cannot ping the far end of the tunnel interfaces.
    > Your explaination about the ip add negociated also makes sense but, the
    > static address I get from my provider is only issued with the ip
    > address negotiated command. Is there a way around this? Have you


    If this is the address you always get, perhaps you could configure it
    statically?

    > ever setup GRE tunnels with nhrp? I read that that kind of setup would
    > support negotiated addresses. Again, thank you for all your input.
    >

    I've just briefly looked at GRE and NHRP setups and they always seem to be
    used in NMBA fashion. I don't do many tunnels as we basically setup either
    MPLS VPN for a customer or IPSec terminated in MPLS VPN, or if there are
    tunnels for multiple VPN access they sourced from loopback interfaces, so I
    can't comment on applicability of NHRP in your case. One practical solution
    I could suggest is to configure your central router as IPSec concentrator
    and use Easy-VPN on the remote routers.

    Kind regards,
    iLya
     
    Charlie Root, Mar 7, 2006
    #5
  6. Alex Guest

    On Tue, 07 Mar 2006 11:40:41 +0100, Charlie Root wrote:

    > <> wrote in message
    > news:...
    >> Ilya,
    >>
    >> Thank you very much for you reply. I added the keepalives to both
    >> router configs and now they are reporting tunnel is up/down. Which
    >> makes sense because I cannot ping the far end of the tunnel interfaces.
    >> Your explaination about the ip add negociated also makes sense but, the
    >> static address I get from my provider is only issued with the ip
    >> address negotiated command. Is there a way around this? Have you

    >
    > If this is the address you always get, perhaps you could configure it
    > statically?
    >
    >> ever setup GRE tunnels with nhrp? I read that that kind of setup would
    >> support negotiated addresses. Again, thank you for all your input.
    >>

    > I've just briefly looked at GRE and NHRP setups and they always seem to be
    > used in NMBA fashion. I don't do many tunnels as we basically setup either
    > MPLS VPN for a customer or IPSec terminated in MPLS VPN, or if there are
    > tunnels for multiple VPN access they sourced from loopback interfaces, so I
    > can't comment on applicability of NHRP in your case. One practical solution
    > I could suggest is to configure your central router as IPSec concentrator
    > and use Easy-VPN on the remote routers.
    >
    > Kind regards,
    > iLya




    try tunnel mode ipip
     
    Alex, Mar 7, 2006
    #6
  7. Guest

    It turned out that my router ACL was blocking me. I have a Internet
    Router that goes to a Checkpoint FW and the router I am configuring was
    off of that router. I had everything right for the Checkpoint but, I
    missed an ACL line on the Internet Router which was breaking me.

    I was able to get the tunnels up and working but, when I added IPsec I
    did not get the expected EIGRP routing updates. It seems to be set
    correctly because when I set it up with static routes I am able to ping
    and get everywhere that I expected, just no routing updates. I
    followed a the guide on Cisco's website: GRE over IPSec with EIGRP to
    Route Through a Hub and Multiple Remote Sites Configuration.

    I also still want to try the NHRP template stuff and I will try the
    "tunnel mode ipip" command but, I don't understand why I can't get
    dynamic routing updates through my GRE/IPsec tunnel. Any ideas?

    Thanks,
    Travis
     
    , Mar 9, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,102
    Claude LeFort
    Nov 11, 2003
  2. Replies:
    1
    Views:
    4,047
    Walter Roberson
    Dec 7, 2004
  3. Darren Green

    GRE - Tunnel Interface

    Darren Green, Mar 15, 2005, in forum: Cisco
    Replies:
    5
    Views:
    33,079
    prateek
    Oct 4, 2010
  4. Replies:
    1
    Views:
    851
    Steve
    Oct 6, 2005
  5. Prasanna
    Replies:
    3
    Views:
    6,935
    slyubski
    Jan 31, 2009
Loading...

Share This Page