Disappearing tunnel keepalives with tunnel interface in vrf

Similar Messages

• Odd Tunnel Interface behavior - one end requires "no keepalive"

  Where's the quick version.  Tunnel between sites A & B.  This is GRE o IPSEC, but I don't think that's the issue.  Tunnel comes up and works great when:  site A has no keepalives and site B has no keepalives,  and it works when Site A has keepalives turned on and Site B does not.  The moment I turn on keepalives on site B, the tunnel goes down.
  This isn't a simple config.  Site A is an MPLS PE, meaning the Tunnel interface is configured with an fVRF and iVRF.  Site B has no VRF's - it is the CE.
  Any ideas on how to fix?  I need Site B's Tunnel interface to go down when connectivity fails.  My current workaround is to use EIGRP to update the routing tables.  I need to be able to support redundant paths with static and floating routes.

  Like this;
  Core1-r1#sh access-list ironport2
  Extended IP access list ironport2
      10 deny tcp host 10.247.254.174 any
      20 deny tcp any 192.168.0.0 0.0.255.255
      30 deny tcp any 10.0.0.0 0.255.255.255
      40 deny tcp host 10.230.3.250 any
      50 permit tcp 10.139.60.0 0.0.0.255 any (119568304 matches)
      60 permit tcp 10.230.32.0 0.0.0.255 any (9290669 matches)
      70 permit tcp host 10.230.48.12 any (141403 matches)
      80 permit tcp host 10.230.36.62 any (1456 matches)
      90 permit tcp host 10.150.18.7 any (741 matches)
  Core1-r1#
  10= P1 interface
  20= network we don't want to be sent to ironport
  30= " "
  40= M1 interface
  50->90=All testing subnets to go to ironport
  Thanks for the feedback! jc

• DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface

  Hello folks!
  I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.
  Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?
  I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".

  I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...
  interface tunnel 0
   tunnel protection ipsec profile MyProfile shared
  end
  I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above. 

• Netflow with tunnel interfaces

  Hi I have a customer who is using tunnel interfaces with IPSEC on their WAN. They are collecting Netflow stats and exporting them to a server.Under the tunnel interface I have specified the bandwidth to be 1000.When I did not specify the bandwidth the tunnel speed came up on the management software as being 9kb. This was obviously not a true reflection when observing the data. The far end remote office is terminating via dsl and my question is should I specify the bandwidth under the tunnel interface to be closer to the dsl connection they have there ie 512k? There are many other tunnels coming from the main site and I have not configured Netflow on the this particular remote end.

  Hi Justin,
  If we would define bandwidth on tunnel interface it will manipulate routing decisions also and tunnel recursiuon issue could also occur where tunnel would see that the best way to reach teh destination is via tunnel itself. Beside taht the actual bandwidth used by the tunnel is based on the physical interface associated with it.

• GRE keepalives with VRF

  GRE keeplives enabled under tunnel interfaces will put the line protocol of tunnel to down... I have tested this in LAB !!!
  why is it so , what is the workaround to use keepalives with VRF ........

  Hello,
  It is caused by the way how the GRE keepalives work. I suggest reading these two documents first:
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml
  In short, a router sending keepalive in essence constructs an IP packet whose source is the remote endpoint and recipient is the router itself. It then encapsulates it using GRE and attaches another IP header to it with the send being itself and destination being the remote end. This packet will be sent to the remote end, there it will be decapsulated and afterwards it will be routed as usual, thereby returning the inner IP packet back to the original sender.
  Obviously, this keepalive mechanism is not integrated with the VRF feature. The keepalive packet may arrive at the remote endpoint but after it is decapsulated the association with the receiving Tunnel interface is obviously lost and the remote endpoint tries to route that packet back using the global routing table, not the VRF in which the tunnel resides. This in turn causes the keepalive packet to never return.
  I am unfortunately not aware of any backup keepalive mechanism for this, apart of running routing protocols over the tunnel with more aggresive hello and dead intervals.
  Best regards,
  Peter

• BW showing under Tunnel Interface

  Hi,
  I've been looking through our VPN Tunnel Interfaces and noticed all of them have the same BW of 9Kbit. Where is this figure derived from?
  sh int tu17
  Tunnel17 is up, line protocol is up
    Hardware is Tunnel
    Description: Tunnel to M
    Internet address is 172.27.240.61/30
    MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
       reliability 255/255, txload 180/255, rxload 110/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel protocol/transport GRE/IP

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  It's a platform/IOS default.  It can be changed using the interface bandwidth statement (on the tunnel interface).

• Dual stack on tunnel interface

  Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
  R1
  interface Tunnel0
   description Tunnel to R2
   ip address 172.30.1.237 255.255.255.252
   ip mtu 1400
   ip nat inside
   ip virtual-reassembly
   load-interval 30
   ipv6 address FE80::172:30:1:1 link-local
   ipv6 address 2001:1::172:30:1:1/126
   keepalive 5 4
   tunnel source GigabitEthernet0/1
   tunnel mode ipsec ipv4
   tunnel destination 1.2.3.4
   tunnel protection ipsec profile protect-gre
  R2
  interface Tunnel0
   description Tunnel to R1
   ip address 172.30.1.238 255.255.255.252
   ip mtu 1400
   ip nat inside
   ip virtual-reassembly
   load-interval 30
   ipv6 address 2001:1::172:30:1:2/126
   ipv6 address FE80::172:30:1:2 link-local
   keepalive 5 4
   tunnel source FastEthernet0/1
   tunnel destination 1.2.3.5
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile protect-gre
  The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!

  Hello,
  In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
  Gerard

• DMVPN in Cisco 3945 output drop in tunnel interface

  I configured DMVPN in Cisco 3945 and checked the tunnel interface. I found out that I have output drop. How can I remove that output drop? I already set the ip mtu to 1400.
  CORE-ROUTER#sh int tunnel 20
  Tunnel20 is up, line protocol is up
    Hardware is Tunnel
    Description: <Voice Tunneling to HO>
    Internet address is 172.15.X.X./X
    MTU 17878 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 10.15.X.X (GigabitEthernet0/1)
     Tunnel Subblocks:
        src-track:
           Tunnel20 source tracking subblock associated with GigabitEthernet0/1
            Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
    Tunnel protocol/transport multi-GRE/IP
      Key 0x3EA, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1438 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Tunnel protection via IPSec (profile "tunnel_protection_profile_2")
    Last input 00:00:01, output never, output hang never
   --More--           Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7487
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    30 second input rate 0 bits/sec, 0 packets/sec
    30 second output rate 0 bits/sec, 0 packets/sec
       48007 packets input, 4315254 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       42804 packets output, 4638561 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  interface Tunnel20
   description <Bayantel Voice tunneling>
   bandwidth 30720
   ip address 172.15.X.X 255.255.255.128
   no ip redirects
   ip mtu 1400
   no ip next-hop-self eigrp 20
   no ip split-horizon eigrp 20
   ip nhrp authentication 0r1x@IT
   ip nhrp map multicast dynamic
   ip nhrp network-id 1002
   ip nhrp holdtime 300
   ip tcp adjust-mss 1360
   tunnel source FastEthernet0/0/1
   tunnel mode gre multipoint
   tunnel key 1002
   tunnel protection ipsec profile tunnel_protection_profile_2 shared

  Hi,
  Thanks for the input. If the radio is sending out the packet but client did not receive, not output drop should be seen since packet is sent out, right?
  From my understanding, output drop is related to congested interface. Outgoing interface cannot take the rate packets coming in and thus droping it. What I don't understand is input and output rate has not reached limit yet. Also input queue is seeing drop of packet as well even though input queue is empty.
  Any idea?

• DLSW and Tunnel Interfaces problem

  We have a pair of routers with tunnel interfaces and DLSW between them.
  Some times the tunnel interface goes down thus loosing service trough DLSW.
  Is there any problem reported between DLSW and this kind of tunel interfaces ?

  Hi,
  i assume you are using dlsw tcp peers.
  In general dlsw does not know over what infrastucture the connection really runs. Dlsw gives data to tcp and tcp is responsible for doing the actual transmission.
  I dont know of any problems with dlsw and tunnel interfaces in general.
  Some more information might help to understand the problem.
  What type of tunnel are you using? GRE?
  What version of ios are you running?
  Do you use additional encapsulation overhead like ipsec ect?
  Does tcp on this router use path mtu discovery?
  thanks...
  Matthias

• Where did these tunnel interfaces come from?!?

  Hello,
  just wondering why one of our routers creates tunnel interfaces dynamically.
  I was setting up a GRE tunnel to transport multicast traffic over network. After I was done, I found two extra tunnel interfaces with command show ip interfaces brief and those extra interfaces uses my original tunnel interface as their IP addresses. There is no any configuration regarding to these extra interfaces in running config. How did this happen? Any explanations? Is it relating somehow to my multicast solution?
  If I got two dynamically created tunnels does that mean that I have at least two concurrent multicast groups on my router in active state?
  Sorry for dummy questions but I have almost zero experience what comes for multicast and last time I studied it in school about 8 year ago...
  -JJ

  Hi,
  These are created dynamically, one to encapsulate multicast packets and the other one to decapsulate. You can see them with the command < show ip pim tunnel > . You can find the description and purpose of these tunnels here:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr-book/imc_s1.html#wp9533023710
  Hope this helps,
  Jose.

• Monitoring tunnel interface traffic

  We've integrated WLSM with IDSM-2 and want to monitor wireless traffic terminating on tunnel interfaces. Can't find a way to configure SPAN or VACL on IOS 6500 to capture traffic. Any suggestions?

  Try this:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080459221.html

• Dynamic virtual tunnel interface on 2821

  I tried to configure a dynamic virtual tunnel interface on a Cisco 2821 with release 12.4(9)T1 advanced ip services, aiming to terminate VPN client ipsec tunnels on it.
  The feature is supported by this software release. Documentation says:
  - enter configuration
  - configure a virtual-template interface
  - type "tunnel mode <mode>"
  but the router does not accept this command.
  Any hint?
  Thank you in advance.
  Denis

  Try:
  just have to take a look at the concentrator's configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml
  and this one is an example with routers
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

• Mystery Tunnel Interfaces on 2921 Router

  Hi All,
  I need some help.
  For some reason it seems we have 3 Tunnel interfaces on the router, not sure how it got there but we are unable to delete them or configure them.
  They seem to take the loopback ip as source and if I delete the loopback interface it chooses another IP.
  Output from sh ip int brief, not sure where it gets those IP's from as well.
  Tunnel0                    172.16.0.1      YES unset  up                    up     
  Tunnel1                    172.16.0.1      YES unset  up                    up     
  Tunnel2                    172.16.0.1      YES unset  up                    up    
  See below when I try to enter interface config mode:
  Router1(config)#int tunnel 0
  % This interface cannot be modified
  Any suggestions or help will be appreciated.
  Regards
  Z

  Hi Zubair,
  this is due to WCCP. You have WCCP for service 61 and 62 so my guess is you have an optimizer appliance (like WAAS) talking WCCP with this router. The tunnel interfaces are the result of WCCP using GRE encapsulation to redirect the traffic to the WAN optimizers.
  you can find more info here:
  https://supportforums.cisco.com/docs/DOC-15782
  thanks,
  Fabrizio

• Bandwith monitoring on physical interface or on tunnel interface ?

  Hi All,
  I would like to ask you a question .i am using solarwind monitoring tool for bandwith monioring.
  I would like to know which interface we should use for monitoring ? Physical interface or tunnel interface .
  I am using GRE tunnel in each of my remote locations.
  and in some locations when i compare my physical interface graph and tunnel interface graph ,there is always hugh difference ,tunnel interface always has high utilization.  but for some sides physical interface and tunnel interface graph are same .
  please do let me know which is the best for monitoing .

  Hi ,
  Genrally it can be posible due bandwidth configuration on tunnel interface but ther is no harm in monitoring both the interface,it is genarlly a benfit only for you as if tunnel goes down it will raise an alarm also for the same.
  For exact monitoring for tunnel interface i would suggest you to check  - VPNTTG (VPN Tunnel Traffic Grapher).
  Advantage of VPNTTG over other SNMP based monitoring softwares is following: Other (commonly used) softwares are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peers IP address and it stores for each VPN tunnel historical monitoring data into the Database.
  Hope that helps out your query !!
  If helpful do rate the valauble post.
  Regards
  Ganesh.H

• Tunnel interface to physical interface

  Hi All,
  I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
  My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients  but if i use tunnel interface on my end  i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
  Thanks for your help in advance.
  Lou

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]