• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 756
  • Last Modified:

GRE IPSec Tunnel - Cisco 1811

I have two sites connected through a GRE IPSec Tunnel.  All IP's are changed for obvious reasons.

Site 1 has 172.10.200.1 (Tunnel interface IP)
Site 2 has 172.10.200.2 (Tunnel interface IP)

The problem we are having is that this tunnel stops passing traffic every so often.  I can shut the tunnel and no shut the tunnel and it comes right back up and passes traffic as it should for another period of time and then drop again.

When it drops, sh crypto session shows the tunnel as UP-ACTIVE.  We never see the tunnel go to the down status.

All of our routes point to the correct place, so that isnt an issue, otherwise it would never work.

Anyone have any ideas on what we can try here?  I have troubleshot this to death and have never seen a tunnel do this before.
0
considerscs
Asked:
considerscs
  • 7
  • 6
3 Solutions
 
considerscsAuthor Commented:
Note:  we also cannot get SSH to work nor client-to-site VPN's from the outside world as it acts like it never hits the router.  SSH works fine from other tunnels or the inside interface.
0
 
SouljaCommented:
Post config.
0
 
Robert Sutton JrSenior Network ManagerCommented:
Keepalives?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
considerscsAuthor Commented:
We have the below line for the crypto.

crypto ipsec security-association lifetime seconds 86400

I am not finding the keepalive and show keepalive gives me nothing.
0
 
SouljaCommented:
Try:

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
0
 
considerscsAuthor Commented:
i have attached the configuration of the Tunnels.

Tunnel50 is the one dropping
Tunnel100 never drops that we can tell.

The isakmp keys were removed.
GRE-Config.txt
0
 
SouljaCommented:
Any particular reason you have the tunnels configured differently? Particularly the

crypto ipsec security-association lifetime seconds 86400

not being applied to tunnel 50?

I would try to match the tunnel that works and see if that cures the issue.
0
 
considerscsAuthor Commented:
I am concerned with why the 100 has the GRE protection and the security-association set to 3600 seconds and it never drops.

Both tunnels were configured exactly the same before.

crypto ipsec profile GRE
 set security-association lifetime seconds 3600
 set transform-set SpokeTS


interface Tunnel100
 ip address 10.11.11.12 255.255.255.0
 tunnel source FastEthernet0
 tunnel destination x.x.x.x
 tunnel protection ipsec profile GRE


If this tunnel is set to lifetime seconds of 3600, wouldn't this be an issue?
0
 
SouljaCommented:
It should be. It's just the time that the security association will be established before another is initiated.
0
 
considerscsAuthor Commented:
i applied

set security-association lifetime seconds 84600

to Tunnel50.  I am hoping that will force it to stay up.  We don't need it to re-initiate the tunnel very frequently.  The other end of this tunnel is managed by someone else, so we do not know what his configuration looks like.  The tunnel may be dropping because his is not set to allow it to re-initiate so much.

I am monitoring it after these changes to see if we see the tunnel drop again.
0
 
SouljaCommented:
Oh!! You didn't mention the other side wasn't managed by your. Definitely need to see how they have things set on the other end. You want both ends to match as much as possible.
0
 
considerscsAuthor Commented:
Yes I am sorry I forgot to mention that.

The other side is very hard to work with or get in touch with.  So I am hoping this is going to solve it by applying hte general configuration that we normally see with this person.

I am stepping in on this router to get it resolved.  This was set up by someone in the past and its always had problems.
0
 
SouljaCommented:
Yeah, usually anytime you set up site to site vpns, boths sides agree on the settings the insure the vpn doesn't have issues. With you only having visibility of your sides settings, you are basically guessing on what the other side is set up like. Regardless, if the tunnel is up the Phase 1 and 2 settings are at least correct, but misc setttings may not make and could be throwing off your vpn.
0
 
considerscsAuthor Commented:
Looks like so far the keepalives and SA's were the issue.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now