Keepalive over GRE tunnel on VRF - bug ??

Unanswered Question
Feb 19th, 2007

In this post :

SOURCE-IP@ = SOURCE IP@ of the GRE tunnel = INTERNET IP@ of the router

GATEWAY-IP@ = next hop to internet

DESTINATION-IP@ = DESTINATION IP@ of the GRE tunnel = INTERNET IP@ of the remote router


I have 2 VRF on a cisco 2811 running a c2800nm-adventerprisek9-mz.124-12.bin

one INTERNET with an internet access

One INTERNAL with a tunnel interface using the vrf INTERNET to route tunnel packets.

Everything works well if i don't use the "keepalive" command on the tunnel interface.

If i put the "keepalive" command on the tunnel of the 2811, everything is still OK

but once i put the "keepalive" command on the remote router, the tunnel interface on the remote tunnel goes down.

and it appears on the log of the 2811

Feb 19 14:35:41: IP: s=SOURCE-IP@ (Tunnel25), d=DESTINATION-IP@, len 32, unroutable

It looks than the router use the INTERNAL routing table to reply to keeplives, whereas to use the INTERNET routing table specified by the "tunnel vrf INTERNET"

So i put the following static route on the global table of the 2811:

ip route vrf INTERNAL DESTINATION-IP@ FastEthernet0/0 GATEWAY-IP@

And the tunnel goes UP/UP on the remote router.

Is it a bug or am i missing something ?

the 2811 configuration :


rd XXX:108

route-target export xxx:108

route-target import xxx:108

route-target import xxx:109

route-target import xxx:100



rd XXX:100

route-target export xxx:100

route-target import xxx:100

route-target import xxx:108

interface Tunnel25

ip vrf forwarding INTERNAL

ip address

ip mtu 1500

ip ospf authentication-key 7 xxxxxxxxxxxxxxxxxxxx

ip ospf cost 20

keepalive 10 3

tunnel source SOURCE-IP@

tunnel destination DESTINATION-IP@

tunnel key 111222333

tunnel checksum

tunnel vrf INTERNET


interface FastEthernet0/0

ip vrf forwarding INTERNET

ip address SOURCE-IP@

ip access-group INTERNET-IN in

ip access-group INTERNET-OUT out

ip nat outside

ip virtual-reassembly

load-interval 30

duplex full

speed 100


and the route i have to add if i want to use keepalive on the remote router:

ip route vrf INTERNE DESTINATION-IP@ FastEthernet0/0 GATEWAY-IP@

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Fri, 02/23/2007 - 12:28

It is required that source and destination IP addresses of a tunnel are from Global Routing Table context. IP address of

tunnel interface itself may be in VRF, but it breaks keepalive mechanism. The problem is that keepalive arrives into Global table, while sender expects it to be in VRF context.With leaking static route may allow keepalive packet to be seen from VRF when it is decapsulated in the Global table.


This Discussion