10-24-2007 04:06 AM - edited 03-03-2019 07:19 PM
Hello,
Here is a short brief over the network:
Cisco1800 <---> ASA <---> INTERNET <---> Cisco871
The ASA-firewall and the Cisco871 holds an IPSec-tunnel over the Internet and the Cisco1800 and Cisco871 running a GRE-tunnel inside the IPSec-tunnel. The routing protocol that runs is EIGRP, but OSPF between the 1800-router and the ASA-Firewall.
Fine everything works perfect, but last week I upgraded the ASA-firewall to version 8 that supports EIGRP and tried to migrate from OSPF to EIGRP between the 1800-router and the ASA. After that the GRE-tunnel started to flap and I realized that a recursive root was the problem.
The configuration looks like this:
1800:
interface Tunnel0
description GRE tunnel.
bandwidth 5000
ip address 10.254.1.1 255.255.255.0
no ip redirects
ip mtu 1400
tunnel source Loopback0
tunnel destination 10.254.2.2
tunnel key XXXX
router eigrp 1
redistribute static
network 10.83.1.0 0.0.0.255
network 10.254.1.0 0.0.0.255
no auto-summary
871:
interface Tunnel0
description description GRE tunnel.
bandwidth 5000
ip address 10.254.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
delay 1000
tunnel source Loopback0
tunnel destination 10.254.2.1
tunnel key XXXX
router eigrp 1
network 10.84.1.0 0.0.0.255
network 10.254.1.0 0.0.0.255
no auto-summary
10-24-2007 04:27 AM
Are your loopback interfaces 10.254.2.1 and 10.254.2.2 respectively? What mask do you have on them? At the moment I am failing to understand how the 1800 and the 871 find each other's loopbacks in order to form the tunnel at all.
Don't forget that OSPF will have distributed the routes to your loopbacks as /32 host routes. EIGRP will distribute them with their original masks. If you have put masks of /24 on them, the EIGRP will think they are the on same network.
Kevin Dorrell
Luxembourg
10-24-2007 04:57 AM
Hello Kevin,
It's correct that 10.254.2.1 and 10.254.2.2 are the loopback interfaces and the mask is 255.255.255.255
FYI: The IPSec-tunnel is configured to encrypt traffic between the loopback interfaces.
10-24-2007 05:15 AM
So how does each router find the route to the tunnel endpoint in the remote router? On the 10.254.2.1 router, what is its show ip route 10.254.2.2 before the tunnel comes up?
I don't see why you should get tunnel flapping; the tunnel endpoints do not seem to be part of the EIGRP topology.
Kevin Dorrell
Luxembourg
10-24-2007 06:10 AM
>So how does each router find the route to the tunnel endpoint in the remote router?
The IPSec-tunnel, the ASA and C871 are the default gateways at each LAN.
>what is its show ip route 10.254.2.2
I can't give you that output right now because I rolled back the configuration.
10-24-2007 06:27 AM
I'm still not sure why your tunnel is flapping then. Your tunnel endpoints are not part of the EIGRP domain, so they cannot be learned through the tunnel itself, which is usually the reason for tunnel flapping.
Unless of course your default route is being distributed in EIGRP and learned through the tunnel, in which case the tunnel would flap if the tunnel end points were part of that default route.
One solution to that would be to make a static route specifically for your tunnel endpoints. Being more specific, that would take precedence over the default route learned through the tunnel.
Kevin Dorrell
Luxembourg
10-24-2007 06:39 AM
Okay thanks, I will do a new try this weekend I hope.
This is the routing-conf at the box right now:
##### Cisco 1800 #####
router eigrp 1
redistribute static
network 10.83.1.0 0.0.0.255
network 10.254.1.0 0.0.0.255
no auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 1 subnets
network 10.0.0.0 0.255.255.255 area 100
ip route 192.168.10.0 255.255.255.0 10.83.1.253
##### ASA 5510 #####
router ospf 100
router-id 10.83.1.253
network 10.83.1.0 255.255.255.0 area 100
network 192.168.10.0 255.255.255.0 area 100
area 100
log-adj-changes
default-information originate metric 1
!
route outside 0.0.0.0 0.0.0.0 213.X.X.X1
How would you write the EIGRP-conf between the ASA and the 1800 with this information?
192.168.10.0/24 is just a DMZ-network at the ASA.
10-29-2007 02:39 AM
anyone?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: