08-17-2007 08:27 AM - edited 03-03-2019 06:22 PM
I do have a site where we have got internet connection via ethernet port. We did make an ipsec over GRE tunnel from that site to our HO in US.
Router model Cisco 2821 at the remote site and 3845 at HO.
We have got another internet link onto the serial port of the router and made another IPSec over GRE Tunnel to HO router through this link.
The setup running fine. But recently we are having connection issues from the service provider which is providing internet connection via the ethernet port. When that service goes down our EIGRP relationship done over these GRE tunnels is breaking up and we are losing reachability to the site. We have to reach via the second internet link, clear the routes and then only the traffic reachablity is resuming.
My question is to avoid these I want to configure keepalive on the tunnel interface which is being used by the Ethernet internet connection. The tunnel line protocol stays down as and when i configure keepalive on it. but where as the other tunnel being used by the serial internet connection takes the keepalive configuration and working fine.
Please suggest.
08-17-2007 08:34 AM
Hi,
What are the keepalive values you are using on both links, and what is the average delay on both links.
BR,
Mohammed Mahmoud.
08-17-2007 08:37 AM
Are you running EIGRP on both the GRE tunnels?
Narayan
08-17-2007 08:41 AM
Yes am using EIGRP between these tunnels and the HO.
The average response time is around 250 msec.
I am giving a keepalive at every 2 seconds and 2 retry limits.
Its working fine with these settings on the tunnel which is created via the serial based internet link.
But the tunnel stays down with even a keepalive of 10 seconds on the one which is created via the ethernet based internet link.
08-17-2007 08:46 AM
Hi,
Is any of the tunnels destination learned over EIGRP over the other tunnel, please do an ip route check for both tunnels destination ?
BR,
Mohammed Mahmoud.
08-17-2007 08:45 AM
SUBHASH
I believe that it would help us understand the issue and give you better advice if you would post the configs of the routers.
HTH
Rick
08-17-2007 09:29 AM
08-18-2007 05:39 AM
Subhash,
Can you ping the destination IP at each router ?
08-20-2007 10:55 PM
I think you should stop GRE keepalive or use EIGRP neighbor command.
08-18-2007 05:22 AM
Hi
Are you able to trace from one router to other router, please check this, this will clear about our routing part.
please also send me digram of the network , this will help me to understand the issue.
-minu
08-19-2007 06:29 PM
Hi,
Can you remove the GRE from the ACL to perform the test (i.e. ICMP) between source and destination to make sure that IPSEC fires up when there is interesting traffic between source and destination?
-----------------------
1. HQ
access-list 110 permit host 131.101.83.173 host 131.101.83.172
access-list 120 permit host 131.101.83.175 host 131.101.83.174
access-list 124 permit host 131.101.83.234 host 131.101.83.235
2. Remote
access-list 110 permit host 131.101.83.172 host 131.101.83.173
access-list 120 permit host 131.101.83.174 host 131.101.83.175
access-list 140 permit host 131.101.83.235 host 131.101.83.234
-----------------------
Always include in the ACL other port for testing purposes (i.e. ICMP) to help you in troubleshooting in the future.
Your idea to put keepalive is good. This is beneficial when you have IP GRE Tunnel (backup or primary link). Without it, when IP GRE Tunnel link is down in one site, the other site IP GRE Tunnel will remain up/up without the keepalive.
Regards,
Dandy
08-22-2007 02:26 AM
I beleive your question was abt keepalive.
in serial connection its your rotuer to router. hence keepalive working.
but on ehternet keeplalive not working bcos service provider switch not supporting it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: