Odd Tunnel Interface behavior - one end requires "no keepalive"

Similar Messages

• Nexus 5000 - Odd Ethernet interface behavior (link down inactive)

  Hi Guys,
  This would sound really trivial but it is very odd behavior.
  - We have a server connected to a 2, Nexus 5000s (for resiliancy)
  - When there is no config on the ethernet interfaces whatsoever, the ethernet interface is UP / UP, there is minimal amount of traffic on the link etc. E.g.
  Ethernet1/16 is up
    Hardware: 1000/10000 Ethernet, address: 000d.ece7.85d7 (bia 000d.ece7.85d7)
    Description: shipley-p1.its RK14/A13
    MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA
    Port mode is access
    full-duplex, 10 Gb/s, media type is 1/10g
    Beacon is turned off
    Input flow-control is off, output flow-control is off
    Rate mode is dedicated
    Switchport monitor is off
    Last link flapped 00:00:07
    Last clearing of "show interface" counters 05:42:32
    30 seconds input rate 0 bits/sec, 0 packets/sec
    30 seconds output rate 96 bits/sec, 0 packets/sec
    Load-Interval #2: 5 minute (300 seconds)
      input rate 0 bps, 0 pps; output rate 8 bps, 0 pps
    RX
      0 unicast packets  0 multicast packets  0 broadcast packets
      0 input packets  0 bytes
      0 jumbo packets  0 storm suppression packets
      0 runts  0 giants  0 CRC  0 no buffer
      0 input error  0 short frame  0 overrun   0 underrun  0 ignored
      0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
      0 input with dribble  0 input discard
      0 Rx pause
    TX
      0 unicast packets  163 multicast packets  0 broadcast packets
      163 output packets  15883 bytes
      0 jumbo packets
      0 output errors  0 collision  0 deferred  0 late collision
      0 lost carrier  0 no carrier  0 babble
      0 Tx pause
    1 interface resets
  - As soon as I configure the link to be an access port, the link goes down, flagging "inactivity" E.g.
  sh int e1/16
  Ethernet1/16 is down (inactive)
    Hardware: 1000/10000 Ethernet, address: 000d.ece7.85d7 (bia 000d.ece7.85d7)
    Description: shipley-p1.its RK14/A13
    MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA
    Port mode is access
    auto-duplex, 10 Gb/s, media type is 1/10g
    Beacon is turned off
    Input flow-control is off, output flow-control is off
    Rate mode is dedicated
    Switchport monitor is off
    Last link flapped 05:38:03
    Last clearing of "show interface" counters 05:41:33
    30 seconds input rate 0 bits/sec, 0 packets/sec
    30 seconds output rate 0 bits/sec, 0 packets/sec
    Load-Interval #2: 5 minute (300 seconds)
      input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
    RX
      0 unicast packets  0 multicast packets  0 broadcast packets
      0 input packets  0 bytes
      0 jumbo packets  0 storm suppression packets
      0 runts  0 giants  0 CRC  0 no buffer
      0 input error  0 short frame  0 overrun   0 underrun  0 ignored
      0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
      0 input with dribble  0 input discard
      0 Rx pause
    TX
      0 unicast packets  146 multicast packets  0 broadcast packets
      146 output packets  13083 bytes
      0 jumbo packets
      0 output errors  0 collision  0 deferred  0 late collision
      0 lost carrier  0 no carrier  0 babble
      0 Tx pause
    0 interface resets
  - This behavior is seen on both 5Ks
  - I've tried using a different set of ports, changed SFPs, and fibre cabling to no avail
  - I can't seem to understand this behavior?!  In that, why would configuring the port cause the link to go down?
  - If anyone has experience this before, or could shed some light on this behavior, it would be appreciated.
  sh ver
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.2.0
    loader:    version N/A
    kickstart: version 4.2(1)N1(1)
    system:    version 4.2(1)N1(1)
    power-seq: version v1.2
    BIOS compile time:       06/19/08
    kickstart image file is: bootflash:/n5000-uk9-kickstart.4.2.1.N1.1.bin
    kickstart compile time:  4/29/2010 19:00:00 [04/30/2010 02:38:04]
    system image file is:    bootflash:/n5000-uk9.4.2.1.N1.1.bin
    system compile time:     4/29/2010 19:00:00 [04/30/2010 03:51:47]
  thanks
  Sheldon

  I had identical issue
  Two interfaces on two different FEXes were INACTIVE. I have two Nexus 5596 in vPC and A/A FEXes.
  I also use config-sync feature.
  Very same configuration was applied to other ports on other FEXes and they were working with no problems.
  interface Ethernet119/1/1
    inherit port-profile PP-Exchange2003
  I checked VLAN status associated with this profile and it was active (of course it was, other ports were ok).
  I solved it by removing port profile from this port and re-applied it... voila, port changed state to up!
  Very very strange.

• DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface

  Hello folks!
  I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.
  Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?
  I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".

  I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...
  interface tunnel 0
   tunnel protection ipsec profile MyProfile shared
  end
  I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above. 

• Tunnel interface to physical interface

  Hi All,
  I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
  My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients  but if i use tunnel interface on my end  i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
  Thanks for your help in advance.
  Lou

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]

• Odd Calc Order Behavior

  Hello all,
  I've put together a hybrid analysis cube and I'm experiencing some odd calc order behavior. It appears the years are calculating backwards.
  I load my 2007 end balances and calc forward three years. 2008 is correct, but 2009 and 2010 are incorrect. They are incorrect inasmuch as the calcs that require 2008/2009 end balances are incorrect. So I run the script again and now 2009 is right, but 2010 is incorrect. Then I run it once more and 2010 is correct.
  It appears the end balances for 2008 and 2009 aren't available for 2009 and 2010, respectively. Thus, I think 2010 is calcing first, but with no 2009 end bals, so it's off. Then 2009 goes, again no end bals, so it's off. Then 2008 calcs, and since 2007 end bals are in there, it's calcing correctly. Thus, I have to calc again two times for 2009 and 2010 to be correct.
  Here's my script:
  Fix (@IRSiblings("2008"),"ScenarioMbr")
  CALC ALL EXCEPT DIM("Years","Scenario");
  Endfix
  ScenarioMbr is a level 0 descendant of the Scenario dimension.
  Thanks for any help anyone has.

  I would suggest checking on your outline order. It sounds like your ending balance hasn't been calculated by the time the beginning balance needs it (as evidenced by your three passes). The order of members in your FIX statement has no bearing on the calculation order. By this, I mean make sure that your Years dimension is ordered as follows...
  Years
  + 2007
  + 2008
  + 2009
  + 2010
  Also, make sure that your periods (where your months are is, assuming it is a different dimension) is located above your Years dimension.
  Lastly, how are you facilitating getting your Ending balances into your Beginning balances? Sometimes the sequencing for this type of work is improtant as well. For example, if your Ending Balance is a two-pass, it will not be ready until a second pass is done.
  IF this doesn't help, maybe provide one of the BegBal members that isn't working, your outline order, the order of the Years dimension, and the dense/sparse settings (assuming BSO).
  Good Luck!!

• Odd open with behavior

  Hi,
  Normally, when right-clicking a file, for example, a pdf, in ID, and selecting a particular program to open that file with (say, AI) would start the chosen program.  Lately, things haven't been working as expected, at least in one document.  Opening a linked file, either with the right-click on the file or from the links dock, results in some really odd behavior, all ending with the wrong program being chosen.  Sometimes, the program is in the list, for whatever reason ID decides that it should be in the list, which is a mystery to me, but sometimes, the program isn't even in the list.  Such as, my GIS program. I've tried another document, and it seems to behave ok.  I tried restarting the computer, etc., still happens.  Any suggestions?  Thanks for the time; you folks are always a tremendous help.
  PS, if I go to Bridge, everything is smooth, like butter.
  db

  I'm using CS4, all up to date on a Windows XP SP3 machine dual-core 2.66ghz  4gig RAM, 500 Gig HD.  The document itself is pretty low-key.  Five placed Word files.  I'm zapping the embedded images and replacing with linked originals.  Very basic graphics.  I'm an archaeologist, so mainly maps and photos, no transparencies, fancy masks, or anything of the like.
  Thanks,
  db

• Odd Junk Mail Behavior

  I've been experiencing odd Junk Mail behavior on my Mac; I've got the Mail app set so it puts the emails it thinks is Junk in the Junk folder. I do this because I've noticed that certain legitimate emails keep ending up in the Junk folder automatically.
  I've also noticed that some of the emails in the Junk folder have not actually been flagged as Junk Mail, they were not colored brown by the Junk Mail rule and there is no button available to tell Mail it's not Junk. How do I stop Mail from flagging something as Junk when it doesn't seem to tag it as Junk but it still ends up in the Junk folder?
  I see emails tagged as Junk in the Junk folder that are legit, so I click the "Not Junk" button and move them back to the proper mail folder. But the next time I get mail from the same source, it gets flagged and tagged as Junk again. I thought the Mail app learns from the training we give it. How do I resolve this situation?
  I've already set the Junk filtering to not filter emails from recipients who are in my Address Book.

  Either you’ve messed with the Preferences > Junk Mail > Advanced settings, or those settings have become corrupt, or you have one or more rules that have a bearing on this.
  Assuming it isn’t the latter, try this:
  1. Go to Preferences > Junk Mail, disable junk mail filtering, then enable it again. This resets the rule that governs what the junk filter does.
  2. Choose either Training or Automatic mode (it doesn’t matter) and leave the other options checked. Click Advanced to see how the junk filter rule is defined now if you want, but don’t touch anything there.
  3. Reset the junk filter database (Preferences > Junk Mail > Reset).

• 'no ip route-cache' on Tunnel interfaces

  Hi,
  A quick and hopefully simple question. Is there any reason why 'no ip route-cache' and 'no ip mroute-cache' should be configured on Tunnel interfaces?
  Generally, when should 'no ip route-cache' be configured on an interface?
  Many thanks,
  Andy

  Andy, no easy question, and prety much send some of us back to basics.. one have to take a deeper look at this command to barely get a good picture. See first link thread , good discussion on your question.. generaly no ip- route-catch improves performance for router forwarding processing desitions.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfa166
  You can find more details on three types of switching methods such as ( fast switching by ip route catch command ), I believe it helps understand better the commands.
  http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper09186a00800a62d9.shtml
  Another instance where you would have IP route catch enable on an interface would be for the use of netflow, IP route-cacth command on an interface is requirement for implementing netflow .
  Rgds
  -Jorge

• Where did these tunnel interfaces come from?!?

  Hello,
  just wondering why one of our routers creates tunnel interfaces dynamically.
  I was setting up a GRE tunnel to transport multicast traffic over network. After I was done, I found two extra tunnel interfaces with command show ip interfaces brief and those extra interfaces uses my original tunnel interface as their IP addresses. There is no any configuration regarding to these extra interfaces in running config. How did this happen? Any explanations? Is it relating somehow to my multicast solution?
  If I got two dynamically created tunnels does that mean that I have at least two concurrent multicast groups on my router in active state?
  Sorry for dummy questions but I have almost zero experience what comes for multicast and last time I studied it in school about 8 year ago...
  -JJ

  Hi,
  These are created dynamically, one to encapsulate multicast packets and the other one to decapsulate. You can see them with the command < show ip pim tunnel > . You can find the description and purpose of these tunnels here:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr-book/imc_s1.html#wp9533023710
  Hope this helps,
  Jose.

• Dynamic virtual tunnel interface on 2821

  I tried to configure a dynamic virtual tunnel interface on a Cisco 2821 with release 12.4(9)T1 advanced ip services, aiming to terminate VPN client ipsec tunnels on it.
  The feature is supported by this software release. Documentation says:
  - enter configuration
  - configure a virtual-template interface
  - type "tunnel mode <mode>"
  but the router does not accept this command.
  Any hint?
  Thank you in advance.
  Denis

  Try:
  just have to take a look at the concentrator's configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml
  and this one is an example with routers
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

• Transmit Discards on Tunnel Interface Cisco 2851

  Hi, wondered if anyone could shed any light on this?
  We have a two 2851 routers at two seperate branches that connect via a vpn tunnel back to the head office. When lookking at the tunnel interface it shows a lot of transmit discards which are there constantly and increase as traffic levels go up.
  I have read that this is due to congestion however we are'nt using that much bandwidth at all.
  one site has 100mb private circuit and the other has 10mb both of which are never more than 30% utilised
  any thoughts?
  thanks

  [url=http://membres.lycos.fr/ishbjndm/washingtondbd.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington7bc.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washingtonc17.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington47d.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington123.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washingtoncbb.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington6a2.html] washington [/url]
  [url=http://members.lycos.nl/fzxhunpv/washington73f.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washingtondae.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington844.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington4e3.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washingtonb8e.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington206.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washingtond0a.html] washington [/url]
  [url=http://dnbvako.zotzoo.com/washington8fa.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington12f.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washingtond66.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washingtonfc2.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington55d.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington1c2.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington6a6.html] washington [/url]
  [url=http://gcqdamu.zizhost.com/washington17d.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington03c.html] washington [/url]
  [url=http://ytieutu.wipou.com/washingtoneb9.html] washington [/url]
  [url=http://ytieutu.wipou.com/washingtonb3f.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington4e8.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington0c7.html] washington [/url]
  [url=http://ytieutu.wipou.com/washington241.html] washington [/url]
  [url=http://ytieutu.wipou.com/washingtonfe3.html] washington [/url]
  [url=http://poaheif.webheri.net/washington737.html] washington [/url]
  [url=http://poaheif.webheri.net/washington3ca.html] washington [/url]
  [url=http://poaheif.webheri.net/washingtonda1.html] washington [/url]
  [url=http://poaheif.webheri.net/washington474.html] washington [/url]
  [url=http://poaheif.webheri.net/washington368.html] washington [/url]
  [url=http://poaheif.webheri.net/washington6af.html] washington [/url]
  [url=http://poaheif.webheri.net/washington189.html] washington [/url]
  [url=http://fztodds.24fast.info/washington09d.html] washington [/url]

• Netflow with tunnel interfaces

  Hi I have a customer who is using tunnel interfaces with IPSEC on their WAN. They are collecting Netflow stats and exporting them to a server.Under the tunnel interface I have specified the bandwidth to be 1000.When I did not specify the bandwidth the tunnel speed came up on the management software as being 9kb. This was obviously not a true reflection when observing the data. The far end remote office is terminating via dsl and my question is should I specify the bandwidth under the tunnel interface to be closer to the dsl connection they have there ie 512k? There are many other tunnels coming from the main site and I have not configured Netflow on the this particular remote end.

  Hi Justin,
  If we would define bandwidth on tunnel interface it will manipulate routing decisions also and tunnel recursiuon issue could also occur where tunnel would see that the best way to reach teh destination is via tunnel itself. Beside taht the actual bandwidth used by the tunnel is based on the physical interface associated with it.

• Dual stack on tunnel interface

  Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
  R1
  interface Tunnel0
   description Tunnel to R2
   ip address 172.30.1.237 255.255.255.252
   ip mtu 1400
   ip nat inside
   ip virtual-reassembly
   load-interval 30
   ipv6 address FE80::172:30:1:1 link-local
   ipv6 address 2001:1::172:30:1:1/126
   keepalive 5 4
   tunnel source GigabitEthernet0/1
   tunnel mode ipsec ipv4
   tunnel destination 1.2.3.4
   tunnel protection ipsec profile protect-gre
  R2
  interface Tunnel0
   description Tunnel to R1
   ip address 172.30.1.238 255.255.255.252
   ip mtu 1400
   ip nat inside
   ip virtual-reassembly
   load-interval 30
   ipv6 address 2001:1::172:30:1:2/126
   ipv6 address FE80::172:30:1:2 link-local
   keepalive 5 4
   tunnel source FastEthernet0/1
   tunnel destination 1.2.3.5
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile protect-gre
  The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!

  Hello,
  In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
  Gerard

• Disappearing tunnel keepalives with tunnel interface in vrf

  Dear all
  I have an annoying problem with a gre tunnel using keepalives and the tunnel interface on the PE residing in a vrf.
  The background for my setup is an ethernet WAN link to our customer where the interface doesn't go down when the link fails.
  Therefore I want to use an gre tunnel with keepalive in order to use static routes.
  The tunnel setup is as follows:
  1. PE, 6509, Sup720, IOS 12.2(18)SXF7
  interface FastEthernet8/13
  ip address xx.yy.zz.241 255.255.255.252
  speed 10
  duplex full
  no mop enabled
  interface Tunnel813
  ip vrf forwarding CUSTOMER
  ip address 10.0.0.101 255.255.255.252
  keepalive 5 3
  tunnel source xx.yy.zz.241
  tunnel destination xx.yy.zz.242
  end
  2. CE, 1803, IOS 12.4(15)T8
  interface FastEthernet0
  bandwidth 5000
  ip address xx.yy.zz.242 255.255.255.252
  speed 10
  full-duplex
  interface Tunnel0
  ip address 10.0.0.102 255.255.255.252
  keepalive 5 3
  tunnel source xx.yy.zz.242
  tunnel destination xx.yy.zz.241
  The problem is PE sends and receives keepalives and brings up the tunnel. CE on the other hand sends but doesn't receive keepalives.
  As far as I have learned from former discussions the problem comes from tunnel and physical interface belonging to different routing instances. If I put the tunnel interface on PE into the global routing instance all the keepalives reach their destinations as expected.
  I read about a solution involving "tunnel vrf" on th etunnel configuration. This command is not present in my IOS version but AFAIK it is only necessary for having the underlying physical interface in a vrf as well.
  Furthermore I read about "mls mpls tunnel-recir" but I am not sure whether this might solve the issue here. And equally important: Can I safely turn on this feature on a running system with quite a lot of vrf customers without any trouble?
  Any hint and/or advise is greatly appreciated here.
  Thanks a lot in advance,
  Grischa

  Wow, this is old, but...
  While they may or may not be officially supported, GRE tunnels do work with vrf's if you both put the tunnel interface in the VRF AND the physical interface the tunnel runs over, AND use the tunnel vrf command.  Then everything is in the same routing table and it works.  For example:
  PE:
  vrf definition vrf1
  rd 1:1
  address-family ipv4
    route-target export 1:1
    route-target import 1:1
  exit-address-family
  interface Ethernet0/0
  vrf forwarding vrf1
  ip address 192.168.1.1 255.255.255.0
  interface Tunnel1
  vrf forwarding vrf1
  ip address 1.1.1.1 255.255.255.252
  keepalive 1 3
  tunnel source Ethernet0/0
  tunnel destination 192.168.1.2
  tunnel vrf vrf1
  router bgp 12345
  bgp log-neighbor-changes
  address-family vpnv4
  ! Provider stuff - i.e., route reflector for MPLS network
  exit-address-family
  address-family ipv4 vrf vrf1
    neighbor 1.1.1.2 remote-as 64512
    neighbor 1.1.1.2 activate
    neighbor 1.1.1.2 default-originate
  exit-address-family
  CE:
  interface Ethernet0/0
  ip address 192.168.1.2 255.255.255.0
  interface Tunnel1
  ip address 1.1.1.2 255.255.255.252
  keepalive 1 3
  tunnel source Ethernet0/0
  tunnel destination 192.168.1.1
  router bgp 64512
  bgp log-neighbor-changes
  ! network statements perhaps
  ! redistribute static perhaps
  neighbor 1.1.1.1 remote-as 12345
  neighbor 1.1.1.1 update-source Tunnel1
  neighbor 1.1.1.1 soft-reconfiguration inbound
  Of course you don't need to run BGP, but you can.

• How to connect new iMac to tv with a hdmi cord on one end and a thunderbolt on the other end

  how to connect new iMac to tv with a hdmi cord on one end and a thunderbolt on the other end

  You need a > Moshi Mini DP to HDMI Adapter with Audio Support - Apple Store (U.S.) to plug into the ThunderBolt port and an HDMI cable.