GRE keepalives with VRF

GRE keeplives enabled under tunnel interfaces will put the line protocol of tunnel to down... I have tested this in LAB !!!
why is it so , what is the workaround to use keepalives with VRF ........

Hello,
It is caused by the way how the GRE keepalives work. I suggest reading these two documents first:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml
In short, a router sending keepalive in essence constructs an IP packet whose source is the remote endpoint and recipient is the router itself. It then encapsulates it using GRE and attaches another IP header to it with the send being itself and destination being the remote end. This packet will be sent to the remote end, there it will be decapsulated and afterwards it will be routed as usual, thereby returning the inner IP packet back to the original sender.
Obviously, this keepalive mechanism is not integrated with the VRF feature. The keepalive packet may arrive at the remote endpoint but after it is decapsulated the association with the receiving Tunnel interface is obviously lost and the remote endpoint tries to route that packet back using the global routing table, not the VRF in which the tunnel resides. This in turn causes the keepalive packet to never return.
I am unfortunately not aware of any backup keepalive mechanism for this, apart of running routing protocols over the tunnel with more aggresive hello and dead intervals.
Best regards,
Peter

Similar Messages

Disappearing tunnel keepalives with tunnel interface in vrf

Dear all
I have an annoying problem with a gre tunnel using keepalives and the tunnel interface on the PE residing in a vrf.
The background for my setup is an ethernet WAN link to our customer where the interface doesn't go down when the link fails.
Therefore I want to use an gre tunnel with keepalive in order to use static routes.
The tunnel setup is as follows:
1. PE, 6509, Sup720, IOS 12.2(18)SXF7
interface FastEthernet8/13
ip address xx.yy.zz.241 255.255.255.252
speed 10
duplex full
no mop enabled
interface Tunnel813
ip vrf forwarding CUSTOMER
ip address 10.0.0.101 255.255.255.252
keepalive 5 3
tunnel source xx.yy.zz.241
tunnel destination xx.yy.zz.242
end
2. CE, 1803, IOS 12.4(15)T8
interface FastEthernet0
bandwidth 5000
ip address xx.yy.zz.242 255.255.255.252
speed 10
full-duplex
interface Tunnel0
ip address 10.0.0.102 255.255.255.252
keepalive 5 3
tunnel source xx.yy.zz.242
tunnel destination xx.yy.zz.241
The problem is PE sends and receives keepalives and brings up the tunnel. CE on the other hand sends but doesn't receive keepalives.
As far as I have learned from former discussions the problem comes from tunnel and physical interface belonging to different routing instances. If I put the tunnel interface on PE into the global routing instance all the keepalives reach their destinations as expected.
I read about a solution involving "tunnel vrf" on th etunnel configuration. This command is not present in my IOS version but AFAIK it is only necessary for having the underlying physical interface in a vrf as well.
Furthermore I read about "mls mpls tunnel-recir" but I am not sure whether this might solve the issue here. And equally important: Can I safely turn on this feature on a running system with quite a lot of vrf customers without any trouble?
Any hint and/or advise is greatly appreciated here.
Thanks a lot in advance,
Grischa

Wow, this is old, but...
While they may or may not be officially supported, GRE tunnels do work with vrf's if you both put the tunnel interface in the VRF AND the physical interface the tunnel runs over, AND use the tunnel vrf command. Then everything is in the same routing table and it works. For example:
PE:
vrf definition vrf1
rd 1:1
address-family ipv4
route-target export 1:1
route-target import 1:1
exit-address-family
interface Ethernet0/0
vrf forwarding vrf1
ip address 192.168.1.1 255.255.255.0
interface Tunnel1
vrf forwarding vrf1
ip address 1.1.1.1 255.255.255.252
keepalive 1 3
tunnel source Ethernet0/0
tunnel destination 192.168.1.2
tunnel vrf vrf1
router bgp 12345
bgp log-neighbor-changes
address-family vpnv4
! Provider stuff - i.e., route reflector for MPLS network
exit-address-family
address-family ipv4 vrf vrf1
neighbor 1.1.1.2 remote-as 64512
neighbor 1.1.1.2 activate
neighbor 1.1.1.2 default-originate
exit-address-family
CE:
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
interface Tunnel1
ip address 1.1.1.2 255.255.255.252
keepalive 1 3
tunnel source Ethernet0/0
tunnel destination 192.168.1.1
router bgp 64512
bgp log-neighbor-changes
! network statements perhaps
! redistribute static perhaps
neighbor 1.1.1.1 remote-as 12345
neighbor 1.1.1.1 update-source Tunnel1
neighbor 1.1.1.1 soft-reconfiguration inbound
Of course you don't need to run BGP, but you can.

Sharing global routing table with vrf for intra-as traffic

We have a network block of 10.201.0.0/16 which is divided into two subnet 10.201.0.0/18 and 10.201.192.0/18. We are getting a internet feed for each subnet.
10.201.192.0/18 is in global routing table, and 10.201.0.0/18 is in a vrf-lite green.
I am thinking doing the following:
...........HUB
VL199/....\VL198
SPOKE1 SPOKE2
Hub and spoke are from perspective of vrf green.
For vrf green in the HUB:
ip route vrf green 10.201.0.0 255.255 255.192 vlan 199
ip route vrf green 10.201.64.0 255.255.255.192 vlan198
SPOKE1
ip route 0.0.0.0 0.0.0.0 vlan199
SPOKE2
ip route 0.0.0.0 0.0.0.0 vlan198
Suppose we already get the 2 internet feeds to HUB route with vrf green and global routing table. This should get vrf green going.
But we also have global routing table on the HUB router.
We would like to have 10.201.0.0/16 communicating with each other, and only keep internet default separated.
How should we get to 10.201.0.0/18 from global routing table and how should we get to 10.201.192.0/18 from SPOKE[12]?

In my lab, I have 2 ports configured.
int gi1/2
ip vrf forward green
ip address 10.201.192.253 255.255.255.252
int gi1/1
ip address 10.201.192.254 255.255.255.252
ip route 10.201.0.0 255.255.192.0 gi1/2
ip route vrf 10.201.192.0 255.255.192.0 gi1/1 10.201.192.254
This way, from vrf green to global has go through HUB. and vrf greens will also go through greens.
Is there any other much elegant way for this purpose?

BGP to OSPF redistribution with VRFs

I am having a problem with redistribution of routes between BGP and OSPF when using VRFs mapping to VLANs between the PE and CE.
In this lab I've put together I have R4 and R5 communicating with eachother via BGP with MPLS. If I redistribute the BGP into OSPF and delivering the connection to the CE without VLANs it works fine. If I want to essentially keep the same primary network going into the other side of the BGP but send the VRF over a VLAN to the next router the redistribution doesn't happen.
In this example I have
192.168.100.0/24 (R6) --ospf-- (R4) --BGP-- (R5) --ospf-- (R7) 192.168.200.0/24
Between R4 and R5 is the core network running ospf (R1 - R3).
Can anyone point me in the right direction why this isn't working? I am obviously missing something here.
Thanks,
Mike

Hi Mike,
You need to add capability vrf-lite under ospf process of R6 and R7 because they are configured with VRF-lite. This command will disable the check usually done on the PE to avoid routing loops.
HTH
Laurent.

Encrypted GRE Tunnel with RIP on a SRW527w??

Hi All,
Is it possible to configure an IPSEC GRE tunnel with RIP on an SRP527w? I see RIP, GRE & IPSEC are all possible.. But I'm not sure about them all together securing the GRE tunnel??
See below. I basically want to do this with the SRW routers not native IOS. Single head end hub & spoke.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf
Thanks a lot
Matt

On a much smaller scale of course!

GRE with VRF on MPLS/VPN

Hi.
Backbone network is running MPLS/VPN.
I have one VRF (VRF-A) for client VPN network.
One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
So GRE is our option.
CE config:
Note: CE is running on global. VRF-A is configured at PE.
But will add VRF-B here for the requirement.
interface Tunnel0
ip vrf forwarding VRF-B
ip address 10.12.25.22 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 10.12.0.133
PE1 config:
interface Tunnel0
ip vrf forwarding VRF-B
ip address 10.12.25.21 255.255.255.252
tunnel source Loopback133
tunnel destination 10.12.26.54
tunnel vrf VRF-A
Tunnel works and can ping point-to-point IP address.
CE LAN IP for VRF-B is configured as static route at PE1
PE1:
ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
From PE2:
- I can ping tunnel0 interface of PE1
- I cant ping tunnel0 interface of CE
Routing is all good and present in the routing table.
From CE:
- I can ping any VRF-B loopback interface of PE1
- But not VRF-B loopback interfaces PE2 (even if routing is all good)
PE1/PE2 are 7600 SRC3/SRD6.
Any problem with 7600 on this?
Need comments/suggestions.

Hi Allan,
what is running between PE1 and PE2 ( what I mean is any routing protocol).
If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
If Yes, then check are those Prefixes available in LDP table...
Regards,
Smitesh

IPsec over GRE in ASR 1000 with VRF

                   Hi
I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
    local_proxy= 10.255.68.246/255.255.255.255/256/0,
    remote_proxy= 10.200.25.106/255.255.255.255/256/0,
    protocol= ESP, transform= NONE (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 3 13:11:33: Crypto mapdb : proxy_match
        src addr     : 10.255.68.246
        dst addr     : 10.200.25.106
        protocol     : 0
        src port     : 0
        dst port     : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: Crypto mapdb : proxy_match
        src addr     : 10.255.68.246
        dst addr     : 10.200.25.106
        protocol     : 0
        src port     : 0
        dst port     : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: map_db_find_best did not find matching map
Oct 3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
Oct 3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
anybody could help me to troubleshoot why it doesn´t work?
I post you involved configuration sections from ASR and 819G routers
B.R.

Ops!! I forgot to paste involved routes from both devices.
ASR router
ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6          <--- c819G LAN network
Cisco 819G
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 10.255.68.246 255.255.255.255 Cellular0
B.R.

IPSec for Redundant DMVPN with VRF

Hi.
I have been labbing up a solution using DMVPN and VRF, similar to that described in the blog post here. It works very well, however when I try to extend the concept to a redundant hub, it breaks with IPSec. If I remove the tunnel protection, it works fine.
Does anyone have any ideas about providing IPSec protection to multiple DMVPN tunnels for VRFs to a redundant Hub?
Thanks.
Client config (no IPSec):
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.23 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast 172.16.1.1
ip nhrp map 10.254.254.1 172.16.1.1
ip nhrp map 10.254.254.3 172.16.1.3
ip nhrp map multicast 172.16.1.3
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp nhs 10.254.254.3
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.23 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map 10.254.253.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp map multicast 172.16.1.3
ip nhrp map 10.254.253.3 172.16.1.3
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.254.253.1
ip nhrp nhs 10.254.253.3
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
Hub 1:
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
Hub 2:
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0 tunnel mode gre multipoint
tunnel key 20

Under the Hub you have to add
HUB1
interface Tunnel10
ip nhrp map 10.254.254.1
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB2>
HUB2
interface Tunnel10
ip nhrp map 10.254.254.3
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB1>
The same thing for the other tunnel interfaces

How to configure OSPFv3 with VRF in IOS (a guide)

Hi everybody,
I recently found myself in need of configuring VRF segregated IPv6 routing with OSPFv3 in a pair of IOS 6500s. After a bit of research, I found that although the latest IOS releases for the 6500 (15.1(1)SY for the Sup720 and Sup2T) support configuring OSPFv3 on VRFs, Cisco has yet to release any documentation pertaining to its configuration other then command references. So, I thought I would share some of the pertinent and important details I discovered along the way to getting this working and collect them all in one place to help out anyone else who is trying to do this.
1. The first thing you need to do is turn it on. Make sure you have enabled IPv6 routing with the "ipv6 unicast-routing" command and IPv6 VRFs with the "mls ipv6 vrf" command. Without these enabled, everything you try that seems like it should work will fail.
2. You must use the new style VRF definition commands, the old "ip vrf <name>" commands are for IPv4 only. The new style of configuring the VRFs is "vrf definition <name>", under these VRFs you must specify the IP versions you want to run with the "address-family ipv4" and "address-family ipv6" commands. Also the command to place an interface into these VRFs is slightly different as well. On an interface, you must use the "vrf forwarding <name>" command instead of the old "ip vrf forwarding <name>" command.
3. For OSPFv3 instances, the VRF is defined after you enter the proccess by using the "address-family ipv6 unicast vrf <name>" command. OSPFv2 instances are still define the VRF at the same time as the process using the traditional "router ospf <proccess> vrf <name>" command.
4. After you get this all configured the "show ipv6 ospf" commands will no longer work. You need to use the "show ospfv3 vrf" commands instead.
I have attached a sample configuration of what I did. If anyone out there knows this better than I do, please correct anything I got wrong and/or add anything you think would be helpful. I would just like there to be a good source of info available for this subject, so people don't have to waste their time figuring this out the hard way.
Best Regards,
Greg

Greg,
Greate information.
Thanks for posting This!!!
Reza

IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details). Time for some advice. My usual trade is controls engineering which generally require only basic knowledge of networking principals. However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system. I decided to use cellular technology to connect these remote sites back to the main SCADA system. Well the infrastructure is now in and it’s time to get these things talking. Basic topology description is as follows: Each remote site has an Airlink LS300 gateway. Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system. The Airlinks are provisioned by Verizon utilizing a private network with static IP's. This private networks address is 192.168.1.0/24. Back at the central office the SCADA computer is sitting behind a Cisco 2911. The LAN address of the central office is 192.168.11.0/24. The 2911 is utilizing GRE tunnels that terminate with Verizon. The original turn up was done with another contractor that did a basic config of the router which you will find below. As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks. I think I understand just about every part of the config below and think it is just missing a few items to be complete. I would greatly appreciate anyone’s help in getting this set up correctly. I also have a few questions about the set up that still don’t make sense to me, you will find them below the config. Thanks in advance.
no aaa new-model
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 one-time secret
redundancy
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key AbCdEf01294 address 99.101.15.99
crypto isakmp key AbCdEf01294 address 99.100.14.88
crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac
mode transport
crypto map VZW_VPNTUNNEL 1 ipsec-isakmp
description Verizon Wireless Tunnel
set peer 99.101.15.99
set peer 99.100.14.88
set transform-set VZW_TSET
match address VZW_VPN
interface Tunnel1
description GRE Tunnel to Verizon Wireless
ip address 172.16.200.2 255.255.255.252
tunnel source 22.20.19.18
tunnel destination 99.101.15.99
interface Tunnel2
description GRE Tunnel 2 to Verizon Wireless
ip address 172.16.200.6 255.255.255.252
tunnel source 22.20.19.18
tunnel destination 99.100.14.88
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
shutdown
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 22.20.19.18 255.255.255.0
duplex full
speed 100
crypto map VZW_VPNTUNNEL
router bgp 65505
bgp log-neighbor-changes
network 0.0.0.0
network 192.168.11.0
neighbor 172.16.200.1 remote-as 6167
neighbor 172.16.200.5 remote-as 6167
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 22.20.19.19
ip access-list extended VZW_VPN
permit gre host 99.101.15.99 host 22.20.19.18
permit icmp host 99.101.15.99 host 22.20.19.18
permit esp host 99.101.15.99 host 22.20.19.18
permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
permit gre host 22.20.19.18 host 99.101.15.99
permit gre host 22.20.19.18 host 99.100.14.88
access-list 23 permit 10.10.10.0 0.0.0.7
control-plane
end
So after spending countless hours analyzing every portion of this, I think that adding one line to this will get it going (or at least closer).
ip route 192.168.1.0 255.255.0.0 22.20.19.19
That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
Now for a couple of questions for those that are still actually hanging around.
#1 what is the purpose of the Ethernet address assigned to each tunnel? I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?). Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
#2 is the config above correct in pointing the default route to the physical Ethernet address? Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)? If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
#3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP. Or is TCP implicit in some way with the GRE permit?
I actually have alot more questions, but I will keep reading for now.
I really appreciate the time you all took to trudge through this. Also please feel free to point anything else out that I may have missed or that can be improved. Have a great day!

This post is a duplicate of this thread
https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
which has a response. I suggest that all discussion of this question be done through the other thread.
HTH
Rick

HTTPS Keepalive with the CSM & SSL Module

Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
Thank you,
Dave

Hi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg

Problem managing keepalive with sockets

Hello friends, I am finding difficulty to manage keepalives in my socket-based client/server app. Please help.
I want to set a socket timeout so that the connection is closed by server after a set inactivity time. Theoretically, this is a cakewalk, because I can setSoTimeout on the socket. I set it to 30 min. This works fine in my local machine. But after I deploy the server on the remote machine (OS Linux Redhat), the soTimeout setting doesn't work. Client stops responding after about 5 minutes of inactivity. My problem is why this is happening and how can I solve this.
The code I am using is like this:
Socket socket = ...;//obtain socket somehow
InputStream in = socket.getInputStream();
try{
socket.setSoTimeout(30*60*1000);
String fromClient = in.readLine();//blocking read
//..do something with the message
catch(Exception e){
System.out.println(e);
}When the connection goes dead (after about 5 min), no exception is caught at the above catch clause, why?
My guess is that a socket timeout of 5 min is set somewhere in the host machine, but if it is so, I have no idea where to check and how to reset. If the solution lies on the Linux side rather than on the Java side, ideally I would like to set a timeout value per socket (per app basis) so that my setting would not mess with other apps.
As an alternative, the client can be programmed (but have not tried yet) to send a dummy message every 2 or 3 min to keep the connection alive. But doing so would keep connection alive for ever, which I don't want.
What options are available to me?

the socket get disconnected once when there is no reply from the client ,so your time out won't work in case there is no reply from client , program such a way that a dummy conversation occurs between the client and server ,when there is no actual conversation ,then the timeout could work for you.

ZBFW design with vrf

Hello,
I am preparing a zbfw design with 400+ ISR/ASR remote routers, Flexvpn and 1 vrf. Each router has a tunnel for visitors and another tunnel for normal users. Config below. In the documentation, I read "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance"
There is no need to communicate between vrf visitor and the GRT, but both use the common wan zone on gigibit 0/0 and gigabit 0/2 to communicate to central.
My question: Can I put all 4 tunnel interfaces below in the same zone :vpn ?
ip vrf Visitors
interface Tunnel1111
description === FlexVPN to nrtc102 (DC1 AVC - primary line) ===
ip unnumbered Loopback1
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/0
tunnel destination 10.255.117.104
tunnel protection ipsec profile Primary-line
interface Tunnel1112
description === FlexVPN to nrtc102 (DC1 AVC - Secondary line) ===
ip unnumbered Loopback2
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/2
tunnel destination 10.255.117.105
tunnel protection ipsec profile Secondary-line
interface Tunnel1113
description === FlexVPN to nrtcDMZ (DC1 - visitors - primary line) ===
ip vrf forwarding Visitors
ip unnumbered Loopback3
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/0
tunnel destination 10.255.112.104
tunnel protection ipsec profile Primary-line-visitors
interface Tunnel1114
description === FlexVPN to nrtcDMZ (DC1 - visitors - Secondary line) ===
ip vrf forwarding Visitors
ip unnumbered Loopback4
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/2
tunnel destination 10.255.112.105
tunnel protection ipsec profile Secondary-line-visitorsinterface
Many thanks Karien

Hello Karien,
Not sure I get the question..
The definition you are looking I guess is this one:
A router can only inspect inter-VRF traffic if traffic must enter or leave a VRF through an interface to cross to a different VRF. If traffic is routed directly to another VRF, there is no physical interface where a firewall policy can inspect traffic, so the router is unable to apply inspection.
Based on that I would say that on each VRF there will need to be a dedicated security zone applied,
I will try to run a lab real quick tomorrow and get back to u,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Script Keepalive with Passive UDP Services

When sending a script keepalive (socket connect) to a passive UDP service (snmp, syslog, etc.), it doesn't appear that the CSS will recognize an ICMP Port Unreachable response as being associated with the socket. Is this correct, or am I missing something?
~Zach

the scripting function is pretty basic.
So, I don't know if this is *correct* but it sounds like normal.
Gilles.

Trouble with vrf / OSPF

Hi
Because of a migation i need two connectin from one 6500 to a 3550. See the following scenario (just two switches!)
6500 ---------------- 3550
OSPF 100 -- vlan1 -- OSPF 100
OSPF 100 -- vlan2 -- OSPF 1000 vrf C1
Everythings works fine at the start, which is good. The bad thing, after i reboot the 3550 i have no neighborship from 3550 OSPF 1000 vrf C1 to 6500 global OSPF.
Thats because 3550 OSPF 1000 sends no hellos out of vlan 2. So probalby something's broken with the process.
Clear ospf process doesn't help.
The workaround is to delete OSPF 200 vrf C1 configuration and configure it again. But this is not what i want in a live environment.
Has anybody an idea?
cheers patrick

Hi Saul,
The issue is that the ASR9K knows how to get to 172.16.161.6 (or 172.16.19.30) but the EX8208 does not know how to get back to 172.16.19.6, which is the source address used for the ping request. This is because the C6500 redistribute ospf into bgp but it does not redistribute bgp into ospf.
Regards

GRE keepalives with VRF

Similar Messages

Maybe you are looking for