?
Solved

GRE tunnel keepalives not working on 1 end

Posted on 2011-10-06
13
Medium Priority
?
3,270 Views
Last Modified: 2012-05-12
hi,

i am trying to enable GRE tunnel keepalives in order for our floating static routes to kick in should there be a problem in the GRE tunnel path.

we operate a hub and spoke network. The GRE tunnels are IPSEC protected using crypto maps.

wehn i enable the keepalives on the tunnel interfaces, at the hub end we get replies and the tunnel is in up/up state, but at the remote site the router sends the keepalive but does not get the reply, and this puts the tunnel interface in a up/down state

debugs...

debug tunnel keepalive at hub...

UK-VPN-RTR-3825-01#
Oct  5 07:56:50.456: Tunnel178: sending keepalive, 62.28.21.152->213.86.84.36 (l
en=24 ttl=255), counter=1
Oct  5 07:56:50.520: Tunnel178: keepalive received, 62.28.21.152->213.86.84.36 (
len=24 ttl=245), resetting counter


and also the same debug at the remote site...

277303: Oct  4 11:37:11.473 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18840


277337: Oct  4 11:37:16.472 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18841

277345: Oct  4 11:37:21.471 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18842
0
Comment
Question by:L-Plate
13 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36923729
how many retries do you have set ?
0
 

Author Comment

by:L-Plate
ID: 36923956
any help on this please guys?
0
 

Author Comment

by:L-Plate
ID: 36924044
hi there,

the command on the tunnel interface is    keepalive 5 4

so i guess 4 retries
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 26

Expert Comment

by:Soulja
ID: 36924305
Can you post your route configs?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36924315
Do you have any ACL or Firewall between these routers that would allow the keepalives on way but not the other?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 36924340
Based on this link. This is expected to happen. Take a read.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml#prob
0
 

Author Comment

by:L-Plate
ID: 36924375
hi Soulja,

i think i read this same link the other day. we use crypto maps for the IPSEC tunnels at both ends, and the match address staement in the crypto maps simply matches the gre traffic from router to router at each end.  i have not even heard of the tunnel method protection to be honest.

Our inbound access lists on the routers permit gre, isakmp and esp traffic from router to router.

do you need to see just the gre tunnel config from each router?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36924452
To keep it simple, post the entire sanitized configs.
0
 

Author Comment

by:L-Plate
ID: 36924713
remote site router where tunnel goes down...

crypto map PORTUGALWH 179 ipsec-isakmp
 description ## ENCRYPT GRE TUNNEL TO UK BILSTON ##
 set peer 213.86.84.36
 set transform-set PORTUGAL_3DES_GRE
 match address 179

interface Tunnel179
 description ## ENCRYPT GRE TUNNEL TO UK BILSTON ##
 bandwidth 2048
 ip unnumbered Vlan1
 no ip redirects
 no ip proxy-arp
 ip mtu 1440
 ip virtual-reassembly
 keepalive 5 4
 tunnel source Dialer1
 tunnel destination 213.86.84.36
 crypto map PORTUGALWH

access-list 179 permit gre host 62.28.21.152 host 213.86.84.36


hub site router where tunnel stays up...

crypto map UK 178 ipsec-isakmp
 description ## ENCRYPT GRE TUNNEL TO PORTUGAL WH ##
 set peer 62.28.21.152
 set transform-set UK_3DES_GRE
 match address 178

interface Tunnel178
 description ## ENCRYPT GRE TUNNEL TO PORTUGAL WH ##
 bandwidth 2048
 ip unnumbered GigabitEthernet0/0
 no ip redirects
 no ip proxy-arp
 ip mtu 1440
 ip virtual-reassembly
 keepalive 5 4
 tunnel source 213.86.84.36
 tunnel destination 62.28.21.152

! the crypto map on this router is applied to the outside interface only, not the individual tunnel interfaces...

interface GigabitEthernet0/1
 description WAN
 bandwidth 10000
 ip address 213.86.84.36 255.255.255.224
 ip access-group outside_access_in in
 duplex full
 speed 100
 media-type rj45
 crypto map UK
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36926588
What are the contents of this acl outside_access_in. This is why I asked to post the entire config.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36927365
can you also post access-list 178?
0
 

Author Comment

by:L-Plate
ID: 36929137
sorry, my entire config on the hub router is huge, we have so many remote sites, but anyway, here is the contents of the acl in, and also acl 178. below this i will put the same configs for the remote site router...

ip access-list extended outside_access_in
 permit udp host 77.40.215.162 host 213.86.84.36 eq isakmp
 permit gre host 77.40.215.162 host 213.86.84.36
 permit esp host 77.40.215.162 host 213.86.84.36
 permit udp host 83.69.34.243 host 213.86.84.36 eq isakmp
 permit gre host 82.148.34.117 host 213.86.84.36
 permit udp host 82.148.34.117 host 213.86.84.36 eq isakmp
 permit esp host 82.148.34.117 host 213.86.84.36
 permit gre host 83.69.34.243 host 213.86.84.36
 permit esp host 83.69.34.243 host 213.86.84.36
 permit udp host 81.243.250.57 host 213.86.84.36 eq isakmp
 permit udp host 195.39.71.6 host 213.86.84.36 eq isakmp
 permit udp host 195.235.210.35 host 213.86.84.36 eq isakmp
 permit gre host 195.235.210.35 host 213.86.84.36
 permit esp host 195.235.210.35 host 213.86.84.36
 permit gre host 84.252.208.82 host 213.86.84.36
 permit esp host 84.252.208.82 host 213.86.84.36
 permit udp host 84.252.208.82 host 213.86.84.36 eq isakmp
 permit gre host 195.39.71.6 host 213.86.84.36
 permit esp host 195.39.71.6 host 213.86.84.36
 permit gre host 81.243.250.57 host 213.86.84.36
 permit udp host 80.235.14.122 host 213.86.84.36 eq isakmp
 permit udp host 217.108.54.201 host 213.86.84.36 eq isakmp
 permit gre host 217.108.54.201 host 213.86.84.36
 permit esp host 217.108.54.201 host 213.86.84.36
 permit gre host 62.168.12.22 host 213.86.84.36
 permit esp host 62.168.12.22 host 213.86.84.36
 permit gre host 80.235.14.122 host 213.86.84.36
 permit esp host 80.235.14.122 host 213.86.84.36
 permit gre host 91.82.126.170 host 213.86.84.36
 permit esp host 91.82.126.170 host 213.86.84.36
 permit udp host 91.82.126.170 host 213.86.84.36 eq isakmp
 permit esp host 193.92.136.189 host 213.86.84.36
 permit udp host 193.92.136.189 host 213.86.84.36 eq isakmp
 permit gre host 82.76.22.162 host 213.86.84.36
 permit esp host 82.76.22.162 host 213.86.84.36
 permit udp host 82.76.22.162 host 213.86.84.36 eq isakmp
 permit esp host 82.141.232.167 host 213.86.84.36
 permit udp host 82.141.232.167 host 213.86.84.36 eq isakmp
 permit gre host 82.141.232.167 host 213.86.84.36
 permit esp host 194.78.62.249 host 213.86.84.36
 permit udp host 194.78.62.249 host 213.86.84.36 eq isakmp
 permit gre host 194.78.62.249 host 213.86.84.36
 permit esp host 80.160.18.254 host 213.86.84.36
 permit gre host 80.160.18.254 host 213.86.84.36
 permit esp host 81.43.111.79 host 213.86.84.36
 permit gre host 81.43.111.79 host 213.86.84.36
 permit udp host 81.43.111.79 host 213.86.84.36 eq isakmp
 permit udp host 80.160.18.254 host 213.86.84.36 eq isakmp
 permit esp host 80.121.255.154 host 213.86.84.36
 permit udp host 80.121.255.154 host 213.86.84.36 eq isakmp
 permit gre host 80.121.255.154 host 213.86.84.36
 permit esp host 62.181.206.66 host 213.86.84.36
 permit udp host 62.181.206.66 host 213.86.84.36 eq isakmp
 permit gre host 62.181.206.66 host 213.86.84.36
 permit esp host 81.214.137.132 host 213.86.84.36
 permit udp host 81.214.137.132 host 213.86.84.36 eq isakmp
 permit gre host 81.214.137.132 host 213.86.84.36
 permit gre host 84.14.12.50 host 213.86.84.36
 permit esp host 84.14.12.50 host 213.86.84.36
 permit udp host 84.14.12.50 host 213.86.84.36 eq isakmp
 permit gre host 212.18.46.98 host 213.86.84.36
 permit esp host 212.18.46.98 host 213.86.84.36
 permit udp host 212.18.46.98 host 213.86.84.36 eq isakmp
 permit esp host 65.171.12.3 host 213.86.84.36
 permit udp host 65.171.12.3 host 213.86.84.36 eq isakmp
 permit gre host 65.171.12.3 host 213.86.84.36
 permit esp host 217.37.142.21 host 213.86.84.36
 permit udp host 217.37.142.21 host 213.86.84.36 eq isakmp
 permit gre host 217.37.142.21 host 213.86.84.36
 permit esp host 212.97.47.250 host 213.86.84.36
 permit udp host 212.97.47.250 host 213.86.84.36 eq isakmp
 permit gre host 212.97.47.250 host 213.86.84.36
 permit esp host 62.23.116.210 host 213.86.84.36
 permit udp host 62.23.116.210 host 213.86.84.36 eq isakmp
 permit gre host 62.23.116.210 host 213.86.84.36
 permit esp host 192.38.226.58 host 213.86.84.36
 permit udp host 192.38.226.58 host 213.86.84.36 eq isakmp
 permit gre host 192.38.226.58 host 213.86.84.36
 permit esp host 194.20.6.58 host 213.86.84.36
 permit udp host 194.20.6.58 host 213.86.84.36 eq isakmp
 permit gre host 194.20.6.58 host 213.86.84.36
 permit gre host 82.148.33.201 host 213.86.84.36
 permit esp host 212.42.191.29 host 213.86.84.36
 permit udp host 212.42.191.29 host 213.86.84.36 eq isakmp
 permit gre host 212.42.191.29 host 213.86.84.36
 permit gre host 195.47.106.203 host 213.86.84.36
 permit esp host 84.14.90.26 host 213.86.84.36
 permit udp host 84.14.90.26 host 213.86.84.36 eq isakmp
 permit gre host 84.14.90.26 host 213.86.84.36
 permit udp host 195.47.106.203 host 213.86.84.36 eq isakmp
 permit esp host 216.110.25.3 host 213.86.84.36
 permit esp host 85.88.145.34 host 213.86.84.36
 permit udp host 85.88.145.34 host 213.86.84.36 eq isakmp
 permit gre host 85.88.145.34 host 213.86.84.36
 permit esp host 62.97.66.234 host 213.86.84.36
 permit udp host 62.97.66.234 host 213.86.84.36 eq isakmp
 permit gre host 62.97.66.234 host 213.86.84.36
 permit esp host 195.47.106.203 host 213.86.84.36
 permit esp host 87.139.90.51 host 213.86.84.36
 permit udp host 87.139.90.51 host 213.86.84.36 eq isakmp
 permit gre host 87.139.90.51 host 213.86.84.36
 permit esp host 195.50.151.10 host 213.86.84.36
 permit udp host 195.50.151.10 host 213.86.84.36 eq isakmp
 permit gre host 195.50.151.10 host 213.86.84.36
 permit esp host 80.188.106.153 host 213.86.84.36
 permit esp host 81.243.250.57 host 213.86.84.36
 permit gre host 195.29.84.134 host 213.86.84.36
 permit udp host 195.29.84.134 host 213.86.84.36 eq isakmp
 permit esp host 195.29.84.134 host 213.86.84.36
 permit udp host 83.71.191.65 host 213.86.84.36 eq isakmp
 permit gre host 83.71.191.65 host 213.86.84.36
 permit esp host 83.71.191.65 host 213.86.84.36
 permit udp host 195.168.42.234 host 213.86.84.36 eq isakmp
 permit gre host 195.168.42.234 host 213.86.84.36
 permit esp host 195.168.42.234 host 213.86.84.36
 permit udp host 195.56.169.77 host 213.86.84.36 eq isakmp
 permit gre host 195.56.169.77 host 213.86.84.36
 permit esp host 195.56.169.77 host 213.86.84.36
 permit esp host 212.4.70.218 host 213.86.84.36
 permit udp host 212.4.70.218 host 213.86.84.36 eq isakmp
 permit gre host 212.4.70.218 host 213.86.84.36
 permit esp host 62.28.21.152 host 213.86.84.36
 permit udp host 62.28.21.152 host 213.86.84.36 eq isakmp
 permit gre host 62.28.21.152 host 213.86.84.36
 permit esp host 193.69.147.194 host 213.86.84.36
 permit udp host 193.69.147.194 host 213.86.84.36 eq isakmp
 permit gre host 193.69.147.194 host 213.86.84.36
 permit esp host 217.197.166.203 host 213.86.84.36
 permit udp host 217.197.166.203 host 213.86.84.36 eq isakmp
 permit gre host 217.197.166.203 host 213.86.84.36
 permit esp host 62.173.177.18 host 213.86.84.36
 permit udp host 62.173.177.18 host 213.86.84.36 eq isakmp
 permit gre host 62.173.177.18 host 213.86.84.36
 permit udp host 85.105.82.34 host 213.86.84.36 eq isakmp
 permit gre host 85.105.82.34 host 213.86.84.36
 permit udp host 82.148.33.201 host 213.86.84.36 eq isakmp
 permit esp host 82.148.33.201 host 213.86.84.36
 permit udp host 213.27.198.225 host 213.86.84.36 eq isakmp
 permit gre host 213.27.198.225 host 213.86.84.36
 permit esp host 213.27.198.225 host 213.86.84.36
 permit esp host 85.105.82.34 host 213.86.84.36
 permit udp host 62.97.68.18 host 213.86.84.36 eq isakmp
 permit gre host 62.97.68.18 host 213.86.84.36
 permit esp host 62.97.68.18 host 213.86.84.36
 permit gre host 86.47.223.243 host 213.86.84.36
 permit esp host 86.47.223.243 host 213.86.84.36
 permit udp host 62.168.12.22 host 213.86.84.36 eq isakmp
 permit udp host 86.47.223.243 host 213.86.84.36 eq isakmp
 permit gre host 213.229.143.18 host 213.86.84.36
 permit esp host 213.229.143.18 host 213.86.84.36
 permit udp host 213.229.143.18 host 213.86.84.36 eq isakmp
 permit udp host 125.255.97.170 host 213.86.84.36 eq isakmp
 permit gre host 125.255.97.170 host 213.86.84.36
 permit esp host 125.255.97.170 host 213.86.84.36
 permit udp host 194.100.134.50 host 213.86.84.36 eq isakmp
 permit gre host 194.100.134.50 host 213.86.84.36
 permit esp host 194.100.134.50 host 213.86.84.36
 permit udp host 216.110.25.3 host 213.86.84.36 eq isakmp
 permit gre host 216.110.25.3 host 213.86.84.36
 permit gre host 217.108.137.177 host 213.86.84.36
 permit esp host 217.108.137.177 host 213.86.84.36
 permit udp host 217.108.137.177 host 213.86.84.36 eq isakmp
 permit udp host 85.105.172.137 host 213.86.84.36 eq isakmp
 permit gre host 85.105.172.137 host 213.86.84.36
 permit esp host 85.105.172.137 host 213.86.84.36
 permit udp host 78.189.190.15 host 213.86.84.36 eq isakmp
 permit gre host 78.189.190.15 host 213.86.84.36
 permit esp host 78.189.190.15 host 213.86.84.36
 permit udp host 78.189.180.15 host 213.86.84.36 eq isakmp
 permit gre host 78.189.180.15 host 213.86.84.36
 permit esp host 78.189.180.15 host 213.86.84.36
 permit gre host 193.85.249.170 host 213.86.84.36
 permit esp host 193.85.249.170 host 213.86.84.36
 permit udp host 193.85.249.170 host 213.86.84.36 eq isakmp
 permit gre host 212.145.144.166 host 213.86.84.36
 permit esp host 212.145.144.166 host 213.86.84.36
 permit udp host 212.145.144.166 host 213.86.84.36 eq isakmp
 permit gre host 95.60.254.66 host 213.86.84.36
 permit esp host 95.60.254.66 host 213.86.84.36
 permit udp host 95.60.254.66 host 213.86.84.36 eq isakmp
 permit udp host 188.111.86.138 host 213.86.84.36 eq isakmp
 permit gre host 188.111.86.138 host 213.86.84.36
 permit esp host 188.111.86.138 host 213.86.84.36
 permit esp host 90.182.141.126 host 213.86.84.36
 permit gre host 90.182.141.126 host 213.86.84.36
 permit udp host 90.182.141.126 host 213.86.84.36 eq isakmp
 permit udp host 78.189.29.41 host 213.86.84.36 eq isakmp
 permit gre host 78.189.29.41 host 213.86.84.36
 permit esp host 78.189.29.41 host 213.86.84.36
 permit esp host 90.182.146.202 host 213.86.84.36
 permit udp host 90.182.146.202 host 213.86.84.36 eq isakmp
 permit gre host 90.182.146.202 host 213.86.84.36
 permit udp host 212.145.145.138 host 213.86.84.36 eq isakmp
 permit gre host 212.145.145.138 host 213.86.84.36
 permit esp host 212.145.145.138 host 213.86.84.36
 permit udp host 212.145.145.142 host 213.86.84.36 eq isakmp
 permit gre host 212.145.145.142 host 213.86.84.36
 permit esp host 212.145.145.142 host 213.86.84.36
 permit udp host 212.145.145.150 host 213.86.84.36 eq isakmp
 permit gre host 212.145.145.150 host 213.86.84.36
 permit esp host 212.145.145.150 host 213.86.84.36
 permit udp host 81.180.118.220 host 213.86.84.36 eq isakmp
 permit gre host 81.180.118.220 host 213.86.84.36
 permit esp host 81.180.118.220 host 213.86.84.36
 permit udp host 78.189.227.75 host 213.86.84.36 eq isakmp
 permit gre host 78.189.227.75 host 213.86.84.36
 permit esp host 78.189.227.75 host 213.86.84.36
 deny   ip any any log

access-list 178 permit gre host 213.86.84.36 host 62.28.21.152

remote site...

ip access-list extended outside_access_in
 permit tcp 212.58.55.192 0.0.0.63 host 62.28.21.152 eq 22
 permit esp host 84.252.208.82 host 62.28.21.152
 permit gre host 84.252.208.82 host 62.28.21.152
 permit udp host 84.252.208.82 host 62.28.21.152 eq isakmp
 permit icmp host 84.252.208.82 host 62.28.21.152
 permit tcp host 84.252.208.82 host 62.28.21.152 eq 22
 permit esp host 213.86.84.36 host 62.28.21.152
 permit icmp 212.58.55.192 0.0.0.63 host 62.28.21.152
 permit icmp 85.88.145.32 0.0.0.3 host 62.28.21.152
 permit tcp 85.88.145.32 0.0.0.3 host 62.28.21.152 eq 22
 permit gre host 213.86.84.36 host 62.28.21.152
 permit esp host 213.86.84.196 host 62.28.21.152
 permit gre host 213.86.84.196 host 62.28.21.152
 permit udp host 213.86.84.196 host 62.28.21.152 eq isakmp
 permit udp host 213.86.84.36 host 62.28.21.152 eq isakmp
 permit esp host 216.110.25.3 host 62.28.21.152
 permit gre host 216.110.25.3 host 62.28.21.152
 permit udp host 216.110.25.3 host 62.28.21.152 eq isakmp
 permit esp host 85.88.145.34 host 62.28.21.152
 permit gre host 85.88.145.34 host 62.28.21.152
 permit udp host 85.88.145.34 host 62.28.21.152 eq isakmp
 permit icmp host 85.88.145.34 host 62.28.21.152
 permit icmp host 62.48.177.146 host 62.28.21.152
 deny   ip 10.0.176.0 0.0.15.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit tcp 213.86.84.32 0.0.0.31 host 62.28.21.152 eq 22
 permit icmp 213.86.84.32 0.0.0.31 host 62.28.21.152
 permit tcp 213.86.84.192 0.0.0.31 host 62.28.21.152 eq 22
 permit icmp 213.86.84.192 0.0.0.31 host 62.28.21.152
 deny   ip any any log
!
access-list 179 permit gre host 62.28.21.152 host 213.86.84.36




0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36930701
I have quick query ..is this site new implementation ? or was it working previously & now is down .

I have seen scenarios of such if it was implemented and working properly and after few days it goes down.
1) pls ping remote end ipsec peer IP from HUB if it ping its OK not pinging then check if any ISP isssue.
2) pls past o/p of sh crypto isakmp sa | i 20.20.20.20 ...remote location of remote peer
3) try to remove crypto config from router and again reinsert it.
4) if dont want to 3rd step reboot remote router...

ipsec behaves in weird way..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question