Solved

GRE IPSec Tunnel - Cisco 1811

Posted on 2013-10-28
14
734 Views
Last Modified: 2013-10-28
I have two sites connected through a GRE IPSec Tunnel.  All IP's are changed for obvious reasons.

Site 1 has 172.10.200.1 (Tunnel interface IP)
Site 2 has 172.10.200.2 (Tunnel interface IP)

The problem we are having is that this tunnel stops passing traffic every so often.  I can shut the tunnel and no shut the tunnel and it comes right back up and passes traffic as it should for another period of time and then drop again.

When it drops, sh crypto session shows the tunnel as UP-ACTIVE.  We never see the tunnel go to the down status.

All of our routes point to the correct place, so that isnt an issue, otherwise it would never work.

Anyone have any ideas on what we can try here?  I have troubleshot this to death and have never seen a tunnel do this before.
0
Comment
Question by:considerscs
  • 7
  • 6
14 Comments
 
LVL 1

Author Comment

by:considerscs
ID: 39605608
Note:  we also cannot get SSH to work nor client-to-site VPN's from the outside world as it acts like it never hits the router.  SSH works fine from other tunnels or the inside interface.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39605665
Post config.
0
 
LVL 15

Accepted Solution

by:
The_Warlock earned 167 total points
ID: 39605670
Keepalives?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39605685
We have the below line for the crypto.

crypto ipsec security-association lifetime seconds 86400

I am not finding the keepalive and show keepalive gives me nothing.
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 333 total points
ID: 39605700
Try:

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
0
 
LVL 1

Author Comment

by:considerscs
ID: 39605731
i have attached the configuration of the Tunnels.

Tunnel50 is the one dropping
Tunnel100 never drops that we can tell.

The isakmp keys were removed.
GRE-Config.txt
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 333 total points
ID: 39605764
Any particular reason you have the tunnels configured differently? Particularly the

crypto ipsec security-association lifetime seconds 86400

not being applied to tunnel 50?

I would try to match the tunnel that works and see if that cures the issue.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:considerscs
ID: 39605786
I am concerned with why the 100 has the GRE protection and the security-association set to 3600 seconds and it never drops.

Both tunnels were configured exactly the same before.

crypto ipsec profile GRE
 set security-association lifetime seconds 3600
 set transform-set SpokeTS


interface Tunnel100
 ip address 10.11.11.12 255.255.255.0
 tunnel source FastEthernet0
 tunnel destination x.x.x.x
 tunnel protection ipsec profile GRE


If this tunnel is set to lifetime seconds of 3600, wouldn't this be an issue?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39605795
It should be. It's just the time that the security association will be established before another is initiated.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39605814
i applied

set security-association lifetime seconds 84600

to Tunnel50.  I am hoping that will force it to stay up.  We don't need it to re-initiate the tunnel very frequently.  The other end of this tunnel is managed by someone else, so we do not know what his configuration looks like.  The tunnel may be dropping because his is not set to allow it to re-initiate so much.

I am monitoring it after these changes to see if we see the tunnel drop again.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39605858
Oh!! You didn't mention the other side wasn't managed by your. Definitely need to see how they have things set on the other end. You want both ends to match as much as possible.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39605868
Yes I am sorry I forgot to mention that.

The other side is very hard to work with or get in touch with.  So I am hoping this is going to solve it by applying hte general configuration that we normally see with this person.

I am stepping in on this router to get it resolved.  This was set up by someone in the past and its always had problems.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39605947
Yeah, usually anytime you set up site to site vpns, boths sides agree on the settings the insure the vpn doesn't have issues. With you only having visibility of your sides settings, you are basically guessing on what the other side is set up like. Regardless, if the tunnel is up the Phase 1 and 2 settings are at least correct, but misc setttings may not make and could be throwing off your vpn.
0
 
LVL 1

Author Closing Comment

by:considerscs
ID: 39606604
Looks like so far the keepalives and SA's were the issue.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now