ipip Tunnels always up?

Discussion in 'Cisco' started by rooy, May 27, 2009.

  1. rooy

    rooy Guest

    Hello all

    I'm trying to find a way to make a simple ipip Tunnel go down when the
    remote router isn't online.

    I need this because I have a remote router with two WANs directly
    connected to the same remote site.
    From my local router I've set up 2 Tunnels IPIP to both those WANs,
    then I've set up 2 static routes to that remote site with different
    "distances".
    The problem is, when one of the remote WANs is down, no matter what,
    both tunnels stay up according to the local router, so it still tries
    to forward traffic to the tunnel with the lowest distance, even if
    that is the broken link.

    I even created a Tunnel with a non-existent destination ip, and the
    router still says the Tunnel is up!
    I also tried fiddling with the keepalives and other options inside the
    tunnel configuration to no avail...

    any help is greatly appreciated
    TIA
     
    rooy, May 27, 2009
    #1
    1. Advertising

  2. rooy

    bod43 Guest

    On 27 May, 14:42, rooy <> wrote:
    > Hello all
    >
    > I'm trying to find a way to make a simple ipip Tunnel go down when the
    > remote router isn't online.
    >
    > I need this because I have a remote router with two WANs directly
    > connected to the same remote site.
    > From my local router I've set up 2 Tunnels IPIP to both those WANs,
    > then I've set up 2 static routes to that remote site with different
    > "distances".
    > The problem is, when one of the remote WANs is down, no matter what,
    > both tunnels stay up according to the local router, so it still tries
    > to forward traffic to the tunnel with the lowest distance, even if
    > that is the broken link.
    >
    > I even created a Tunnel with a non-existent destination ip, and the
    > router still says the Tunnel is up!
    > I also tried fiddling with the keepalives and other options inside the
    > tunnel configuration to no avail...


    Enable keepalives on the tunnel interfaces.
     
    bod43, May 27, 2009
    #2
    1. Advertising

  3. rooy

    rooy Guest

    I already tried setting keepalives but the tunnel is always up up,
    even with a random destination ip.
    I tried also non standard values for the keepalive time-out and
    retries settings, but nothing changes.
    I don't know, maybe I'm missing the obvious

    this is my simple Tunnel config:

    interface Tunnel124
    ip address 124.124.124.124 255.255.255.248
    keepalive 10 3
    tunnel source A.B.C.D (my WAN Ip)
    tunnel destination 7.7.7.7 (I chose a random IP here; 7.7.7.7 won't
    even respond to pings)
    tunnel mode ipip

    and this is the tunnel status, still Up Up even after 10 minutes:

    Router#sh int tun 124
    Tunnel124 is up, line protocol is up
    Hardware is Tunnel
    Internet address is 124.124.124.124/29
    MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive set (10 sec), retries 3
    Tunnel source A.B.C.D, destination 7.7.7.7
    Tunnel protocol/transport IP/IP
    Tunnel TTL 255
    Fast tunneling enabled
    Tunnel transport MTU 1480 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
    0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out



    >
    > Enable keepalives on the tunnel interfaces.- Nascondi testo citato
    >
    > - Mostra testo citato -
     
    rooy, May 28, 2009
    #3
  4. rooy

    bod43 Guest

    On 28 May, 09:25, rooy <> wrote:
    > I already tried setting keepalives but the tunnel is always up up,
    > even with a random destination ip.
    > I tried also non standard values for the keepalive time-out and
    > retries settings, but nothing changes.
    > I don't know, maybe I'm missing the obvious
    >
    > this is my simple Tunnel config:
    >
    > interface Tunnel124
    >  ip address 124.124.124.124 255.255.255.248
    >  keepalive 10 3
    >  tunnel source A.B.C.D (my WAN Ip)
    >  tunnel destination 7.7.7.7 (I chose a random IP here; 7.7.7.7 won't
    > even respond to pings)
    >  tunnel mode ipip
    >
    > and this is the tunnel status, still Up Up even after 10 minutes:
    >
    > Router#sh int tun 124
    > Tunnel124 is up, line protocol is up
    >   Hardware is Tunnel
    >   Internet address is 124.124.124.124/29
    >   MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
    >      reliability 255/255, txload 1/255, rxload 1/255
    >   Encapsulation TUNNEL, loopback not set
    >   Keepalive set (10 sec), retries 3
    >   Tunnel source A.B.C.D, destination 7.7.7.7
    >   Tunnel protocol/transport IP/IP
    >   Tunnel TTL 255
    >   Fast tunneling enabled
    >   Tunnel transport MTU 1480 bytes
    >   Tunnel transmit bandwidth 8000 (kbps)
    >   Tunnel receive bandwidth 8000 (kbps)
    >   Last input never, output never, output hang never
    >   Last clearing of "show interface" counters never
    >   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
    > 0
    >   Queueing strategy: fifo
    >   Output queue: 0/0 (size/max)
    >   5 minute input rate 0 bits/sec, 0 packets/sec
    >   5 minute output rate 0 bits/sec, 0 packets/sec
    >      0 packets input, 0 bytes, 0 no buffer
    >      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    >      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    >      0 packets output, 0 bytes, 0 underruns
    >      0 output errors, 0 collisions, 0 interface resets
    >      0 unknown protocol drops
    >      0 unknown protocol drops
    >      0 output buffer failures, 0 output buffers swapped out
    >
    >
    >
    > > Enable keepalives on the tunnel interfaces.- Nascondi testo citato


    I have used this in anger and it does work.

    interface Tunnel5
    ip address 1.1.1.1 255.255.255.0
    tunnel source Dialer0
    tunnel destination 2.2.2.2
    tunnel mode ipip

    Tunnel5 1.1.1.1 YES manual
    up up
    OK this is what we expect.

    interface Tunnel5
    ip address 1.1.1.1 255.255.255.0
    keepalive 10 3 ! #############
    tunnel source Dialer0
    tunnel destination 2.2.2.2
    tunnel mode ipip

    ! wait a long time

    Tunnel5 1.1.1.1 YES manual
    up up

    Hmmm.

    interface Tunnel5
    ip address 1.1.1.1 255.255.255.0
    keepalive 10 3
    tunnel source Dialer0
    tunnel destination 2.2.2.2
    ! change to GRE - the default - not ipip

    Tunnel5 1.1.1.1 YES manual
    up down

    OK, looks like IP in IP tunnels do not support keepalives.
    I have always just used GRE which is the default,
    sorry for the confusion.

    By the way the debug output seems a bit confusing.

    router#sh deb
    General-purpose tunnel:
    Tunnel keepalive debugging is on

    May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
    (len=24 ttl=255), counter=29

    All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.
    c870-advipservicesk9-mz.124-15.T7.bin.
     
    bod43, May 28, 2009
    #4
  5. rooy

    Dan Lanciani Guest

    In article <>, (bod43) writes:

    | By the way the debug output seems a bit confusing.
    |
    | router#sh deb
    | General-purpose tunnel:
    | Tunnel keepalive debugging is on
    |
    | May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
    | (len=3D24 ttl=3D255), counter=3D29
    |
    | All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.

    That's the inner (i.e., return) packet. See:

    http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml

    Dan Lanciani
    ddl@danlan.*com
     
    Dan Lanciani, May 29, 2009
    #5
  6. rooy

    rooy Guest


    > OK, looks like IP in IP tunnels do not support keepalives.
    > I have always just used GRE which is the default,
    > sorry for the confusion.
    >


    Thanks! I tried without ipip and it works as expected now.
    I'll keep this limitation in mind next time, and I'll probably stick
    with the default GRE from now on.
     
    rooy, May 29, 2009
    #6
  7. rooy

    bod43 Guest

    On 29 May, 04:46, ddl@danlan.*com (Dan Lanciani) wrote:
    > In article <..com>, (bod43) writes:
    > | May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
    > | (len=3D24 ttl=3D255), counter=3D29
    > |
    > | All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.
    >
    > That's the inner (i.e., return) packet.  See:
    >
    > http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note091...


    Thanks. I wasn't losing all that much sleep over it
    however it is always good to have a mystery solved:)

    The description at the link suggests to me that
    the keepalive may be returned even if there is
    no remote tunnel interface configured. I may have
    to do some reading on GRE.
     
    bod43, May 29, 2009
    #7
  8. rooy

    Dan Lanciani Guest

    In article <>, (bod43) writes:
    | On 29 May, 04:46, ddl@danlan.*com (Dan Lanciani) wrote:
    | > In article <=
    | .com>, (bod43) writes:
    | > | May 28 23:47:42.516 BST: Tunnel5: sending keepalive, 2.2.2.2->92.x.x.x
    | > | (len=3D3D24 ttl=3D3D255), counter=3D3D29
    | > |
    | > | All the wrong way round source is 92.x.x.x, dest is 2.2.2.2.
    | >
    | > That's the inner (i.e., return) packet. =A0See:
    | >
    | > http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note091...
    |
    | Thanks. I wasn't losing all that much sleep over it
    | however it is always good to have a mystery solved:)
    |
    | The description at the link suggests to me that
    | the keepalive may be returned even if there is
    | no remote tunnel interface configured.

    There has to be a matching (source/destination and key if configured)
    remote tunnel interface for the return packet to be decapsulated; however,
    it may be possible to have that interface (mis)configured such that the
    tunnel doesn't really work even though the keepalive does. Of course,
    that's not what keepalives are meant to guard against and for most
    purposes they do what you want.

    Dan Lanciani
    ddl@danlan.*com
     
    Dan Lanciani, May 29, 2009
    #8
  9. rooy

    bod43 Guest

    On 29 May, 22:02, ddl@danlan.*com (Dan Lanciani) wrote:

    > for most
    > purposes they do what you want.


    That seems to sum up the cisco philosophy, from
    the point of view of a user of the kit.
    :)))
     
    bod43, May 30, 2009
    #9
  10. rooy

    bod43 Guest

    On 29 May, 09:09, rooy <> wrote:
    > > OK, looks like IP in IP tunnels do not support keepalives.
    > > I have always just used GRE which is the default,
    > > sorry for the confusion.

    >
    > Thanks! I tried without ipip and it works as expected now.
    > I'll keep this limitation in mind next time, and I'll probably stick
    > with the default GRE from now on.


    It's always a good plan to stick with the cisco defaults.
    They do have a clue:)

    Of course if you understand what is going on and
    have specific requirenents then do whatever you want.
     
    bod43, May 30, 2009
    #10
  11. rooy

    edillenburg

    Joined:
    Feb 18, 2011
    Messages:
    1
    I have the same issue (tunnel UP/UP) using C2821/C2851 routers.
    C7200 works fine, but the C28xx won't.

    I using two routers in SiteA with HSRP, and two routers at SiteB also with HSRP. Those HSRP addresses are the source and destination for both sides.

    Well, the C28xx in standby keep showing tunnel UP/UP instead UP/DOWN (like when using the C7204VXR). All four routers have the same 12.4(22)T5 IOS

    Any ideas?
    Thanks in advance.


     
    edillenburg, Feb 18, 2011
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul McLaren
    Replies:
    3
    Views:
    3,754
    Paul McLaren
    Jul 17, 2003
  2. John Ryan

    GRE Tunnel Mode vs IPIP

    John Ryan, Aug 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    7,580
    adeelasher
    Feb 7, 2011
  3. Paul  Thomas

    Dynamicailly Creating IPIP Tunnels

    Paul Thomas, Apr 7, 2006, in forum: Cisco
    Replies:
    2
    Views:
    648
    Walter Roberson
    Apr 7, 2006
  4. ljorg
    Replies:
    0
    Views:
    497
    ljorg
    Nov 22, 2006
  5. philbo30
    Replies:
    1
    Views:
    664
    Walter Roberson
    Apr 12, 2007
Loading...

Share This Page