Tunnels going down at a particular time daily

Unanswered Question
Apr 27th, 2007
User Badges:

We do have an IPSec tunnels created on a 2621 router. Recently we are facing a problem. The EIGRP relationship (the Tunnels) are going down at a particular time every day (around 10:45 am local time daily)


The configuration on the router is as follows:

Router_IPsec#sh runn

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key Tzoombie2b0r@$2b!t0moru& address x.x.x.x

crypto isakmp key Lom!LurmlOM!lURMbozodeeclown address x.x.x.x

!

crypto ipsec transform-set myset-3des esp-3des esp-md5-hmac

crypto ipsec transform-set myset-3des-comp esp-3des esp-md5-hmac comp-lzs

!

crypto map vpn 20 ipsec-isakmp

description IPSEC Tunnel to Bracknell -Backup path

set peer x.x.x.x

set transform-set myset-3des

match address 120

crypto map vpn 30 ipsec-isakmp

description ipsec tunnel to Boston

set peer x.x.x.x

set transform-set myset-3des

match address 130

!

interface Loopback0

description Ipsec Tunnel to Bracknell - Backup path

ip address 131.101.83.166 255.255.255.255

!

interface Loopback1

ip address 131.101.83.43 255.255.255.255

!

interface Tunnel0

description IPSEC Tunnel to Bracknell - Backup path

ip unnumbered FastEthernet0/0

ip accounting output-packets

ip mtu 1400

ip policy route-map clear-df

keepalive 3 3

tunnel source Loopback0

tunnel destination 131.101.83.167

!

interface Tunnel1

ip unnumbered FastEthernet0/0

ip accounting output-packets

ip mtu 1400

ip policy route-map clear-df

load-interval 30

keepalive 3 3

tunnel source 131.101.83.43

tunnel destination 131.101.83.42

!

!

interface FastEthernet0/0

description Munich LAN subnets

ip address 131.101.228.253 255.255.255.0 secondary

ip address 131.101.192.253 255.255.255.0

ip route-cache flow

speed 100

full-duplex

interface FastEthernet0/1

description DSL connection to internet

ip address x.x.x.x 255.255.255.248

ip route-cache flow

duplex auto

speed auto

crypto map vpn

!

router eigrp 101

redistribute connected

passive-interface FastEthernet0/1

network 131.101.0.0

distribute-list 10 out Tunnel0

distribute-list 20 out Tunnel1

distance 180 131.101.50.235 0.0.0.0

no auto-summary

!

ip route 131.101.83.42 255.255.255.255 x.x.x.x

ip route 131.101.83.167 255.255.255.255 x.x.x.x

ip route 198.51.251.194 255.255.255.255 x.x.x.x

ip route 212.133.24.86 255.255.255.255 x.x.x.x

!

!

access-list 10 permit 131.101.192.0 0.0.0.255

access-list 10 permit 131.101.193.0 0.0.0.255

access-list 10 permit 131.101.228.0 0.0.0.255

access-list 20 permit 131.101.192.0 0.0.0.255

access-list 20 permit 131.101.228.0 0.0.0.255

access-list 30 permit 131.101.192.0 0.0.0.255

access-list 40 permit 131.101.228.0 0.0.0.255

access-list 104 permit ip any any

access-list 120 remark Bracknell GRE Tunnel

access-list 120 permit gre host 131.101.83.166 host 131.101.83.167

access-list 130 permit gre host 131.101.83.43 host 131.101.83.42


route-map clear-df permit 10

match ip address 104

set ip df 0

!

Actually this setup is working fine for quite some days and we are even tracking the internet link which has no drops at all. But only the tunnels are going down at times on this router that too like a planned periodic time (daily 10:45 a.m. local time)


Please help me out asap.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dkeaton Fri, 04/27/2007 - 11:11
User Badges:

What are your IOS versions? We had something similar happen when we had 12.4... connecting to 12.3... Do you have the same keepalive configured on both sides? Do you have the problem if you take the keepalive off of your GRE tunnel interfaces? I have also experienced similar issues when using CEF on my public interface.

gtambour Sat, 04/28/2007 - 22:10
User Badges:

Hi, here is someting that we use on our tunnels for intermittent EIGRP relationship transitions. You can give it a try. It has to be configured on both ends of the connection.


interface Tunnel22

ip address xxxxxxxxxxxx

ip tcp adjust-mss 1370 - set the mtu without ip header to 1370 (this eliminates fragmentation)

ip hello-interval eigrp xxxx 10 - lower the number of eigrp transitions that are frequent on VPN links

ip hold-time eigrp xxxx 120 - lower the number of eigrp transitions that are frequent on VPN links

tunnel source Loopback100

tunnel destination xxxxxxxxx

crypto map vpn



Actions

This Discussion