GRE tunnel keepalives not working on 1 end

hi,

i am trying to enable GRE tunnel keepalives in order for our floating static routes to kick in should there be a problem in the GRE tunnel path.

we operate a hub and spoke network. The GRE tunnels are IPSEC protected using crypto maps.

wehn i enable the keepalives on the tunnel interfaces, at the hub end we get replies and the tunnel is in up/up state, but at the remote site the router sends the keepalive but does not get the reply, and this puts the tunnel interface in a up/down state

debugs...

debug tunnel keepalive at hub...

UK-VPN-RTR-3825-01#
Oct  5 07:56:50.456: Tunnel178: sending keepalive, 62.28.21.152->213.86.84.36 (l
en=24 ttl=255), counter=1
Oct  5 07:56:50.520: Tunnel178: keepalive received, 62.28.21.152->213.86.84.36 (
len=24 ttl=245), resetting counter


and also the same debug at the remote site...

277303: Oct  4 11:37:11.473 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18840


277337: Oct  4 11:37:16.472 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18841

277345: Oct  4 11:37:21.471 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18842
L-PlateAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArneLoviusCommented:
how many retries do you have set ?
0
L-PlateAuthor Commented:
any help on this please guys?
0
L-PlateAuthor Commented:
hi there,

the command on the tunnel interface is    keepalive 5 4

so i guess 4 retries
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

SouljaSenior Network EngineerCommented:
Can you post your route configs?
0
SouljaSenior Network EngineerCommented:
Do you have any ACL or Firewall between these routers that would allow the keepalives on way but not the other?
0
SouljaSenior Network EngineerCommented:
Based on this link. This is expected to happen. Take a read.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml#prob
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
L-PlateAuthor Commented:
hi Soulja,

i think i read this same link the other day. we use crypto maps for the IPSEC tunnels at both ends, and the match address staement in the crypto maps simply matches the gre traffic from router to router at each end.  i have not even heard of the tunnel method protection to be honest.

Our inbound access lists on the routers permit gre, isakmp and esp traffic from router to router.

do you need to see just the gre tunnel config from each router?
0
SouljaSenior Network EngineerCommented:
To keep it simple, post the entire sanitized configs.
0
L-PlateAuthor Commented:
remote site router where tunnel goes down...

crypto map PORTUGALWH 179 ipsec-isakmp
 description ## ENCRYPT GRE TUNNEL TO UK BILSTON ##
 set peer 213.86.84.36
 set transform-set PORTUGAL_3DES_GRE
 match address 179

interface Tunnel179
 description ## ENCRYPT GRE TUNNEL TO UK BILSTON ##
 bandwidth 2048
 ip unnumbered Vlan1
 no ip redirects
 no ip proxy-arp
 ip mtu 1440
 ip virtual-reassembly
 keepalive 5 4
 tunnel source Dialer1
 tunnel destination 213.86.84.36
 crypto map PORTUGALWH

access-list 179 permit gre host 62.28.21.152 host 213.86.84.36


hub site router where tunnel stays up...

crypto map UK 178 ipsec-isakmp
 description ## ENCRYPT GRE TUNNEL TO PORTUGAL WH ##
 set peer 62.28.21.152
 set transform-set UK_3DES_GRE
 match address 178

interface Tunnel178
 description ## ENCRYPT GRE TUNNEL TO PORTUGAL WH ##
 bandwidth 2048
 ip unnumbered GigabitEthernet0/0
 no ip redirects
 no ip proxy-arp
 ip mtu 1440
 ip virtual-reassembly
 keepalive 5 4
 tunnel source 213.86.84.36
 tunnel destination 62.28.21.152

! the crypto map on this router is applied to the outside interface only, not the individual tunnel interfaces...

interface GigabitEthernet0/1
 description WAN
 bandwidth 10000
 ip address 213.86.84.36 255.255.255.224
 ip access-group outside_access_in in
 duplex full
 speed 100
 media-type rj45
 crypto map UK
0
SouljaSenior Network EngineerCommented:
What are the contents of this acl outside_access_in. This is why I asked to post the entire config.
0
rochey2009Commented:
can you also post access-list 178?
0
L-PlateAuthor Commented:
sorry, my entire config on the hub router is huge, we have so many remote sites, but anyway, here is the contents of the acl in, and also acl 178. below this i will put the same configs for the remote site router...

ip access-list extended outside_access_in
 permit udp host 77.40.215.162 host 213.86.84.36 eq isakmp
 permit gre host 77.40.215.162 host 213.86.84.36
 permit esp host 77.40.215.162 host 213.86.84.36
 permit udp host 83.69.34.243 host 213.86.84.36 eq isakmp
 permit gre host 82.148.34.117 host 213.86.84.36
 permit udp host 82.148.34.117 host 213.86.84.36 eq isakmp
 permit esp host 82.148.34.117 host 213.86.84.36
 permit gre host 83.69.34.243 host 213.86.84.36
 permit esp host 83.69.34.243 host 213.86.84.36
 permit udp host 81.243.250.57 host 213.86.84.36 eq isakmp
 permit udp host 195.39.71.6 host 213.86.84.36 eq isakmp
 permit udp host 195.235.210.35 host 213.86.84.36 eq isakmp
 permit gre host 195.235.210.35 host 213.86.84.36
 permit esp host 195.235.210.35 host 213.86.84.36
 permit gre host 84.252.208.82 host 213.86.84.36
 permit esp host 84.252.208.82 host 213.86.84.36
 permit udp host 84.252.208.82 host 213.86.84.36 eq isakmp
 permit gre host 195.39.71.6 host 213.86.84.36
 permit esp host 195.39.71.6 host 213.86.84.36
 permit gre host 81.243.250.57 host 213.86.84.36
 permit udp host 80.235.14.122 host 213.86.84.36 eq isakmp
 permit udp host 217.108.54.201 host 213.86.84.36 eq isakmp
 permit gre host 217.108.54.201 host 213.86.84.36
 permit esp host 217.108.54.201 host 213.86.84.36
 permit gre host 62.168.12.22 host 213.86.84.36
 permit esp host 62.168.12.22 host 213.86.84.36
 permit gre host 80.235.14.122 host 213.86.84.36
 permit esp host 80.235.14.122 host 213.86.84.36
 permit gre host 91.82.126.170 host 213.86.84.36
 permit esp host 91.82.126.170 host 213.86.84.36
 permit udp host 91.82.126.170 host 213.86.84.36 eq isakmp
 permit esp host 193.92.136.189 host 213.86.84.36
 permit udp host 193.92.136.189 host 213.86.84.36 eq isakmp
 permit gre host 82.76.22.162 host 213.86.84.36
 permit esp host 82.76.22.162 host 213.86.84.36
 permit udp host 82.76.22.162 host 213.86.84.36 eq isakmp
 permit esp host 82.141.232.167 host 213.86.84.36
 permit udp host 82.141.232.167 host 213.86.84.36 eq isakmp
 permit gre host 82.141.232.167 host 213.86.84.36
 permit esp host 194.78.62.249 host 213.86.84.36
 permit udp host 194.78.62.249 host 213.86.84.36 eq isakmp
 permit gre host 194.78.62.249 host 213.86.84.36
 permit esp host 80.160.18.254 host 213.86.84.36
 permit gre host 80.160.18.254 host 213.86.84.36
 permit esp host 81.43.111.79 host 213.86.84.36
 permit gre host 81.43.111.79 host 213.86.84.36
 permit udp host 81.43.111.79 host 213.86.84.36 eq isakmp
 permit udp host 80.160.18.254 host 213.86.84.36 eq isakmp
 permit esp host 80.121.255.154 host 213.86.84.36
 permit udp host 80.121.255.154 host 213.86.84.36 eq isakmp
 permit gre host 80.121.255.154 host 213.86.84.36
 permit esp host 62.181.206.66 host 213.86.84.36
 permit udp host 62.181.206.66 host 213.86.84.36 eq isakmp
 permit gre host 62.181.206.66 host 213.86.84.36
 permit esp host 81.214.137.132 host 213.86.84.36
 permit udp host 81.214.137.132 host 213.86.84.36 eq isakmp
 permit gre host 81.214.137.132 host 213.86.84.36
 permit gre host 84.14.12.50 host 213.86.84.36
 permit esp host 84.14.12.50 host 213.86.84.36
 permit udp host 84.14.12.50 host 213.86.84.36 eq isakmp
 permit gre host 212.18.46.98 host 213.86.84.36
 permit esp host 212.18.46.98 host 213.86.84.36
 permit udp host 212.18.46.98 host 213.86.84.36 eq isakmp
 permit esp host 65.171.12.3 host 213.86.84.36
 permit udp host 65.171.12.3 host 213.86.84.36 eq isakmp
 permit gre host 65.171.12.3 host 213.86.84.36
 permit esp host 217.37.142.21 host 213.86.84.36
 permit udp host 217.37.142.21 host 213.86.84.36 eq isakmp
 permit gre host 217.37.142.21 host 213.86.84.36
 permit esp host 212.97.47.250 host 213.86.84.36
 permit udp host 212.97.47.250 host 213.86.84.36 eq isakmp
 permit gre host 212.97.47.250 host 213.86.84.36
 permit esp host 62.23.116.210 host 213.86.84.36
 permit udp host 62.23.116.210 host 213.86.84.36 eq isakmp
 permit gre host 62.23.116.210 host 213.86.84.36
 permit esp host 192.38.226.58 host 213.86.84.36
 permit udp host 192.38.226.58 host 213.86.84.36 eq isakmp
 permit gre host 192.38.226.58 host 213.86.84.36
 permit esp host 194.20.6.58 host 213.86.84.36
 permit udp host 194.20.6.58 host 213.86.84.36 eq isakmp
 permit gre host 194.20.6.58 host 213.86.84.36
 permit gre host 82.148.33.201 host 213.86.84.36
 permit esp host 212.42.191.29 host 213.86.84.36
 permit udp host 212.42.191.29 host 213.86.84.36 eq isakmp
 permit gre host 212.42.191.29 host 213.86.84.36
 permit gre host 195.47.106.203 host 213.86.84.36
 permit esp host 84.14.90.26 host 213.86.84.36
 permit udp host 84.14.90.26 host 213.86.84.36 eq isakmp
 permit gre host 84.14.90.26 host 213.86.84.36
 permit udp host 195.47.106.203 host 213.86.84.36 eq isakmp
 permit esp host 216.110.25.3 host 213.86.84.36
 permit esp host 85.88.145.34 host 213.86.84.36
 permit udp host 85.88.145.34 host 213.86.84.36 eq isakmp
 permit gre host 85.88.145.34 host 213.86.84.36
 permit esp host 62.97.66.234 host 213.86.84.36
 permit udp host 62.97.66.234 host 213.86.84.36 eq isakmp
 permit gre host 62.97.66.234 host 213.86.84.36
 permit esp host 195.47.106.203 host 213.86.84.36
 permit esp host 87.139.90.51 host 213.86.84.36
 permit udp host 87.139.90.51 host 213.86.84.36 eq isakmp
 permit gre host 87.139.90.51 host 213.86.84.36
 permit esp host 195.50.151.10 host 213.86.84.36
 permit udp host 195.50.151.10 host 213.86.84.36 eq isakmp
 permit gre host 195.50.151.10 host 213.86.84.36
 permit esp host 80.188.106.153 host 213.86.84.36
 permit esp host 81.243.250.57 host 213.86.84.36
 permit gre host 195.29.84.134 host 213.86.84.36
 permit udp host 195.29.84.134 host 213.86.84.36 eq isakmp
 permit esp host 195.29.84.134 host 213.86.84.36
 permit udp host 83.71.191.65 host 213.86.84.36 eq isakmp
 permit gre host 83.71.191.65 host 213.86.84.36
 permit esp host 83.71.191.65 host 213.86.84.36
 permit udp host 195.168.42.234 host 213.86.84.36 eq isakmp
 permit gre host 195.168.42.234 host 213.86.84.36
 permit esp host 195.168.42.234 host 213.86.84.36
 permit udp host 195.56.169.77 host 213.86.84.36 eq isakmp
 permit gre host 195.56.169.77 host 213.86.84.36
 permit esp host 195.56.169.77 host 213.86.84.36
 permit esp host 212.4.70.218 host 213.86.84.36
 permit udp host 212.4.70.218 host 213.86.84.36 eq isakmp
 permit gre host 212.4.70.218 host 213.86.84.36
 permit esp host 62.28.21.152 host 213.86.84.36
 permit udp host 62.28.21.152 host 213.86.84.36 eq isakmp
 permit gre host 62.28.21.152 host 213.86.84.36
 permit esp host 193.69.147.194 host 213.86.84.36
 permit udp host 193.69.147.194 host 213.86.84.36 eq isakmp
 permit gre host 193.69.147.194 host 213.86.84.36
 permit esp host 217.197.166.203 host 213.86.84.36
 permit udp host 217.197.166.203 host 213.86.84.36 eq isakmp
 permit gre host 217.197.166.203 host 213.86.84.36
 permit esp host 62.173.177.18 host 213.86.84.36
 permit udp host 62.173.177.18 host 213.86.84.36 eq isakmp
 permit gre host 62.173.177.18 host 213.86.84.36
 permit udp host 85.105.82.34 host 213.86.84.36 eq isakmp
 permit gre host 85.105.82.34 host 213.86.84.36
 permit udp host 82.148.33.201 host 213.86.84.36 eq isakmp
 permit esp host 82.148.33.201 host 213.86.84.36
 permit udp host 213.27.198.225 host 213.86.84.36 eq isakmp
 permit gre host 213.27.198.225 host 213.86.84.36
 permit esp host 213.27.198.225 host 213.86.84.36
 permit esp host 85.105.82.34 host 213.86.84.36
 permit udp host 62.97.68.18 host 213.86.84.36 eq isakmp
 permit gre host 62.97.68.18 host 213.86.84.36
 permit esp host 62.97.68.18 host 213.86.84.36
 permit gre host 86.47.223.243 host 213.86.84.36
 permit esp host 86.47.223.243 host 213.86.84.36
 permit udp host 62.168.12.22 host 213.86.84.36 eq isakmp
 permit udp host 86.47.223.243 host 213.86.84.36 eq isakmp
 permit gre host 213.229.143.18 host 213.86.84.36
 permit esp host 213.229.143.18 host 213.86.84.36
 permit udp host 213.229.143.18 host 213.86.84.36 eq isakmp
 permit udp host 125.255.97.170 host 213.86.84.36 eq isakmp
 permit gre host 125.255.97.170 host 213.86.84.36
 permit esp host 125.255.97.170 host 213.86.84.36
 permit udp host 194.100.134.50 host 213.86.84.36 eq isakmp
 permit gre host 194.100.134.50 host 213.86.84.36
 permit esp host 194.100.134.50 host 213.86.84.36
 permit udp host 216.110.25.3 host 213.86.84.36 eq isakmp
 permit gre host 216.110.25.3 host 213.86.84.36
 permit gre host 217.108.137.177 host 213.86.84.36
 permit esp host 217.108.137.177 host 213.86.84.36
 permit udp host 217.108.137.177 host 213.86.84.36 eq isakmp
 permit udp host 85.105.172.137 host 213.86.84.36 eq isakmp
 permit gre host 85.105.172.137 host 213.86.84.36
 permit esp host 85.105.172.137 host 213.86.84.36
 permit udp host 78.189.190.15 host 213.86.84.36 eq isakmp
 permit gre host 78.189.190.15 host 213.86.84.36
 permit esp host 78.189.190.15 host 213.86.84.36
 permit udp host 78.189.180.15 host 213.86.84.36 eq isakmp
 permit gre host 78.189.180.15 host 213.86.84.36
 permit esp host 78.189.180.15 host 213.86.84.36
 permit gre host 193.85.249.170 host 213.86.84.36
 permit esp host 193.85.249.170 host 213.86.84.36
 permit udp host 193.85.249.170 host 213.86.84.36 eq isakmp
 permit gre host 212.145.144.166 host 213.86.84.36
 permit esp host 212.145.144.166 host 213.86.84.36
 permit udp host 212.145.144.166 host 213.86.84.36 eq isakmp
 permit gre host 95.60.254.66 host 213.86.84.36
 permit esp host 95.60.254.66 host 213.86.84.36
 permit udp host 95.60.254.66 host 213.86.84.36 eq isakmp
 permit udp host 188.111.86.138 host 213.86.84.36 eq isakmp
 permit gre host 188.111.86.138 host 213.86.84.36
 permit esp host 188.111.86.138 host 213.86.84.36
 permit esp host 90.182.141.126 host 213.86.84.36
 permit gre host 90.182.141.126 host 213.86.84.36
 permit udp host 90.182.141.126 host 213.86.84.36 eq isakmp
 permit udp host 78.189.29.41 host 213.86.84.36 eq isakmp
 permit gre host 78.189.29.41 host 213.86.84.36
 permit esp host 78.189.29.41 host 213.86.84.36
 permit esp host 90.182.146.202 host 213.86.84.36
 permit udp host 90.182.146.202 host 213.86.84.36 eq isakmp
 permit gre host 90.182.146.202 host 213.86.84.36
 permit udp host 212.145.145.138 host 213.86.84.36 eq isakmp
 permit gre host 212.145.145.138 host 213.86.84.36
 permit esp host 212.145.145.138 host 213.86.84.36
 permit udp host 212.145.145.142 host 213.86.84.36 eq isakmp
 permit gre host 212.145.145.142 host 213.86.84.36
 permit esp host 212.145.145.142 host 213.86.84.36
 permit udp host 212.145.145.150 host 213.86.84.36 eq isakmp
 permit gre host 212.145.145.150 host 213.86.84.36
 permit esp host 212.145.145.150 host 213.86.84.36
 permit udp host 81.180.118.220 host 213.86.84.36 eq isakmp
 permit gre host 81.180.118.220 host 213.86.84.36
 permit esp host 81.180.118.220 host 213.86.84.36
 permit udp host 78.189.227.75 host 213.86.84.36 eq isakmp
 permit gre host 78.189.227.75 host 213.86.84.36
 permit esp host 78.189.227.75 host 213.86.84.36
 deny   ip any any log

access-list 178 permit gre host 213.86.84.36 host 62.28.21.152

remote site...

ip access-list extended outside_access_in
 permit tcp 212.58.55.192 0.0.0.63 host 62.28.21.152 eq 22
 permit esp host 84.252.208.82 host 62.28.21.152
 permit gre host 84.252.208.82 host 62.28.21.152
 permit udp host 84.252.208.82 host 62.28.21.152 eq isakmp
 permit icmp host 84.252.208.82 host 62.28.21.152
 permit tcp host 84.252.208.82 host 62.28.21.152 eq 22
 permit esp host 213.86.84.36 host 62.28.21.152
 permit icmp 212.58.55.192 0.0.0.63 host 62.28.21.152
 permit icmp 85.88.145.32 0.0.0.3 host 62.28.21.152
 permit tcp 85.88.145.32 0.0.0.3 host 62.28.21.152 eq 22
 permit gre host 213.86.84.36 host 62.28.21.152
 permit esp host 213.86.84.196 host 62.28.21.152
 permit gre host 213.86.84.196 host 62.28.21.152
 permit udp host 213.86.84.196 host 62.28.21.152 eq isakmp
 permit udp host 213.86.84.36 host 62.28.21.152 eq isakmp
 permit esp host 216.110.25.3 host 62.28.21.152
 permit gre host 216.110.25.3 host 62.28.21.152
 permit udp host 216.110.25.3 host 62.28.21.152 eq isakmp
 permit esp host 85.88.145.34 host 62.28.21.152
 permit gre host 85.88.145.34 host 62.28.21.152
 permit udp host 85.88.145.34 host 62.28.21.152 eq isakmp
 permit icmp host 85.88.145.34 host 62.28.21.152
 permit icmp host 62.48.177.146 host 62.28.21.152
 deny   ip 10.0.176.0 0.0.15.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit tcp 213.86.84.32 0.0.0.31 host 62.28.21.152 eq 22
 permit icmp 213.86.84.32 0.0.0.31 host 62.28.21.152
 permit tcp 213.86.84.192 0.0.0.31 host 62.28.21.152 eq 22
 permit icmp 213.86.84.192 0.0.0.31 host 62.28.21.152
 deny   ip any any log
!
access-list 179 permit gre host 62.28.21.152 host 213.86.84.36




0
SanjeevlokeCommented:
I have quick query ..is this site new implementation ? or was it working previously & now is down .

I have seen scenarios of such if it was implemented and working properly and after few days it goes down.
1) pls ping remote end ipsec peer IP from HUB if it ping its OK not pinging then check if any ISP isssue.
2) pls past o/p of sh crypto isakmp sa | i 20.20.20.20 ...remote location of remote peer
3) try to remove crypto config from router and again reinsert it.
4) if dont want to 3rd step reboot remote router...

ipsec behaves in weird way..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.