Tunnels going down

Unanswered Question
Apr 27th, 2007
User Badges:

We do have an IPSec tunnels created on a 2621 router. Recently we are facing a problem. The EIGRP relationship (the Tunnels) are going down at a particular time every day (around 10:45 am local time daily)


The configuration on the router is as follows:

Router_IPsec#sh runn

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key xxxx address x.x.x.x

crypto isakmp key xxxx address x.x.x.x

!

crypto ipsec transform-set myset-3des esp-3des esp-md5-hmac

crypto ipsec transform-set myset-3des-comp esp-3des esp-md5-hmac comp-lzs

!

crypto map vpn 20 ipsec-isakmp

description IPSEC Tunnel to Bracknell -Backup path

set peer x.x.x.x

set transform-set myset-3des

match address 120

crypto map vpn 30 ipsec-isakmp

description ipsec tunnel to Boston

set peer x.x.x.x

set transform-set myset-3des

match address 130

!

interface Loopback0

description Ipsec Tunnel to Bracknell - Backup path

ip address 131.x.x.166 255.255.255.255

!

interface Loopback1

ip address 131.x.x.43 255.255.255.255

!

interface Tunnel0

description IPSEC Tunnel to Bracknell - Backup path

ip unnumbered FastEthernet0/0

ip accounting output-packets

ip mtu 1400

ip policy route-map clear-df

keepalive 3 3

tunnel source Loopback0

tunnel destination 131.101.83.167

!

interface Tunnel1

ip unnumbered FastEthernet0/0

ip accounting output-packets

ip mtu 1400

ip policy route-map clear-df

load-interval 30

keepalive 3 3

tunnel source 131.101.83.43

tunnel destination 131.101.83.42

!

!

interface FastEthernet0/0

description Munich LAN subnets

ip address 131.x.x.253 255.255.255.0 secondary

ip address 131.x.x.253 255.255.255.0

ip route-cache flow

speed 100

full-duplex

interface FastEthernet0/1

description DSL connection to internet

ip address x.x.x.x 255.255.255.248

ip route-cache flow

duplex auto

speed auto

crypto map vpn

!

router eigrp 101

redistribute connected

passive-interface FastEthernet0/1

network 131.101.0.0

distribute-list 10 out Tunnel0

distribute-list 20 out Tunnel1

distance 180 131.101.50.235 0.0.0.0

no auto-summary

!

ip route 131.101.83.42 255.255.255.255 x.x.x.x

ip route 131.101.83.167 255.255.255.255 x.x.x.x

ip route 198.51.251.194 255.255.255.255 x.x.x.x

ip route 212.133.24.86 255.255.255.255 x.x.x.x

!

!

access-list 10 permit 131.101.192.0 0.0.0.255

access-list 10 permit 131.101.193.0 0.0.0.255

access-list 10 permit 131.101.228.0 0.0.0.255

access-list 20 permit 131.101.192.0 0.0.0.255

access-list 20 permit 131.101.228.0 0.0.0.255

access-list 30 permit 131.101.192.0 0.0.0.255

access-list 40 permit 131.101.228.0 0.0.0.255

access-list 104 permit ip any any

access-list 120 remark Bracknell GRE Tunnel

access-list 120 permit gre host 131.101.83.166 host 131.101.83.167

access-list 130 permit gre host 131.101.83.43 host 131.101.83.42


route-map clear-df permit 10

match ip address 104

set ip df 0

!

Actually this setup is working fine for quite some days and we are even tracking the internet link which has no drops at all. But only the tunnels are going down at times on this router that too like a planned periodic time (daily 10:45 a.m. local time)


Please help me out asap.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
oabduo983 Sat, 04/28/2007 - 10:17
User Badges:
  • Bronze, 100 points or more

Hi,


Sometimes this issue is related to the bandwidth of your tunnel, this is most probably your case here, please try to re-adjust the bandwidth to something higher... e.g.

Router_IPsec(config)# interface tunnel 0

Router_IPsec(config-if)# bandwidth 10000

Router_IPsec(config-if)# interface tunnel 1

Router_IPsec(config-if)# bandwidth 10000


Let me know how it goes after that, and please rate this post if it was useful!

gary.day Sun, 06/03/2007 - 19:59
User Badges:

That doesn't make sense to me. Bandwidth is used for metric calculation, and would have no impact on tunnel bouncing... you could set it to 1 or 1000000 and nothing would change other than the route metric.

jigsaw2026 Mon, 06/04/2007 - 08:13
User Badges:

I have seen something like this before and it was to do with the isakmp policy lifetime... If you do a show crypto isakmp policy, what is the lifetime set to?

Anonymous (not verified) Mon, 06/04/2007 - 12:08
User Badges:


palukuri77 Tue, 06/05/2007 - 12:35
User Badges:

Hi all,


Sorry for the delay in response. I just got it rectified recently and the prime issue was with the service provider. Ours is a DSL internet connection and they have got some scheduled switchover task in one of their devices which was affecting. I've got them the time adjusted to the early hours and hence no more interruption to my users.


Regards,

Subhash.

pritam.patil Tue, 06/05/2007 - 08:45
User Badges:

i was also facing same problem with my network, check if someone testing with EIGRP Neighbors at any other location.

Actions

This Discussion