considerscs
asked on
GRE IPSec Tunnel - Cisco 1811
I have two sites connected through a GRE IPSec Tunnel. All IP's are changed for obvious reasons.
Site 1 has 172.10.200.1 (Tunnel interface IP)
Site 2 has 172.10.200.2 (Tunnel interface IP)
The problem we are having is that this tunnel stops passing traffic every so often. I can shut the tunnel and no shut the tunnel and it comes right back up and passes traffic as it should for another period of time and then drop again.
When it drops, sh crypto session shows the tunnel as UP-ACTIVE. We never see the tunnel go to the down status.
All of our routes point to the correct place, so that isnt an issue, otherwise it would never work.
Anyone have any ideas on what we can try here? I have troubleshot this to death and have never seen a tunnel do this before.
Site 1 has 172.10.200.1 (Tunnel interface IP)
Site 2 has 172.10.200.2 (Tunnel interface IP)
The problem we are having is that this tunnel stops passing traffic every so often. I can shut the tunnel and no shut the tunnel and it comes right back up and passes traffic as it should for another period of time and then drop again.
When it drops, sh crypto session shows the tunnel as UP-ACTIVE. We never see the tunnel go to the down status.
All of our routes point to the correct place, so that isnt an issue, otherwise it would never work.
Anyone have any ideas on what we can try here? I have troubleshot this to death and have never seen a tunnel do this before.
Post config.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have the below line for the crypto.
crypto ipsec security-association lifetime seconds 86400
I am not finding the keepalive and show keepalive gives me nothing.
crypto ipsec security-association lifetime seconds 86400
I am not finding the keepalive and show keepalive gives me nothing.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i have attached the configuration of the Tunnels.
Tunnel50 is the one dropping
Tunnel100 never drops that we can tell.
The isakmp keys were removed.
GRE-Config.txt
Tunnel50 is the one dropping
Tunnel100 never drops that we can tell.
The isakmp keys were removed.
GRE-Config.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am concerned with why the 100 has the GRE protection and the security-association set to 3600 seconds and it never drops.
Both tunnels were configured exactly the same before.
crypto ipsec profile GRE
set security-association lifetime seconds 3600
set transform-set SpokeTS
interface Tunnel100
ip address 10.11.11.12 255.255.255.0
tunnel source FastEthernet0
tunnel destination x.x.x.x
tunnel protection ipsec profile GRE
If this tunnel is set to lifetime seconds of 3600, wouldn't this be an issue?
Both tunnels were configured exactly the same before.
crypto ipsec profile GRE
set security-association lifetime seconds 3600
set transform-set SpokeTS
interface Tunnel100
ip address 10.11.11.12 255.255.255.0
tunnel source FastEthernet0
tunnel destination x.x.x.x
tunnel protection ipsec profile GRE
If this tunnel is set to lifetime seconds of 3600, wouldn't this be an issue?
It should be. It's just the time that the security association will be established before another is initiated.
ASKER
i applied
set security-association lifetime seconds 84600
to Tunnel50. I am hoping that will force it to stay up. We don't need it to re-initiate the tunnel very frequently. The other end of this tunnel is managed by someone else, so we do not know what his configuration looks like. The tunnel may be dropping because his is not set to allow it to re-initiate so much.
I am monitoring it after these changes to see if we see the tunnel drop again.
set security-association lifetime seconds 84600
to Tunnel50. I am hoping that will force it to stay up. We don't need it to re-initiate the tunnel very frequently. The other end of this tunnel is managed by someone else, so we do not know what his configuration looks like. The tunnel may be dropping because his is not set to allow it to re-initiate so much.
I am monitoring it after these changes to see if we see the tunnel drop again.
Oh!! You didn't mention the other side wasn't managed by your. Definitely need to see how they have things set on the other end. You want both ends to match as much as possible.
ASKER
Yes I am sorry I forgot to mention that.
The other side is very hard to work with or get in touch with. So I am hoping this is going to solve it by applying hte general configuration that we normally see with this person.
I am stepping in on this router to get it resolved. This was set up by someone in the past and its always had problems.
The other side is very hard to work with or get in touch with. So I am hoping this is going to solve it by applying hte general configuration that we normally see with this person.
I am stepping in on this router to get it resolved. This was set up by someone in the past and its always had problems.
Yeah, usually anytime you set up site to site vpns, boths sides agree on the settings the insure the vpn doesn't have issues. With you only having visibility of your sides settings, you are basically guessing on what the other side is set up like. Regardless, if the tunnel is up the Phase 1 and 2 settings are at least correct, but misc setttings may not make and could be throwing off your vpn.
ASKER
Looks like so far the keepalives and SA's were the issue.
ASKER