Why? %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routin

Answered Question
Sep 12th, 2008
User Badges:


I have a pretty normal two-site GRE tunnel that I want to set up


site1: (10.1.0.0/24 LAN)

interface Tunnel0

ip address 192.168.199.1 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0

tunnel destination x.x.x.x


site2: (10.4.0.0/24 LAN)

interface Tunnel0

ip address 192.168.199.2 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0

tunnel destination y.y.y.y


The tunnel is up and I can PING either side's 192.168.199.x address from the other side.

So far, so good.


I have NO dynamic routing protocols running

But when I put in the static "ip route" statements, to get traffic from one LAN to another...


site1: (10.1.0.0/24 LAN)

ip route 10.4.0.0 255.255.255.0 192.168.199.2


site2: (10.4.0.0/24 LAN)

ip route 10.1.0.0 255.255.255.0 192.168.199.1


I get the dreaded "%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing"

error and the tunnel shuts down.


Any ideas on what I'm doing wrong?


Here's the "show ip route" output from site1:

Gateway of last resort is x.x.x.x to network 0.0.0.0


x.x.x.0/30 is subnetted, 1 subnets

C x.x.x.x is directly connected, FastEthernet0

192.168.199.0/30 is subnetted, 1 subnets

C 192.168.199.0 is directly connected, Tunnel0

10.0.0.0/24 is subnetted, 2 subnets

C 10.1.0.0 is directly connected, Vlan1

S 10.4.0.0 [1/0] via 192.168.199.2

S* 0.0.0.0/0 [1/0] via x.x.x.x

CalgaryRTR#


site2 "show ip route" is similar.


Correct Answer by Edison Ortiz about 8 years 10 months ago

Like I stated before, there was something in the config that was causing it.


You could've saved a lot of time by posting the whole config.


Replacing public IPs with non-routable IPs to protect the security of your network while posting in these forums should not have taken you long - search and replace in notepad does wonders :)


Glad you found the problem and thanks for the post back and rating.


Regards,



Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jerry Ye Fri, 09/12/2008 - 11:36
User Badges:
  • Cisco Employee,

Hi,


The message "%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing" which really means your tunnel destination address is reachable via the tunnel itself. Is your tunnel destination in the 10.1.0.0/24 and 10.4.0.0/24 network?


Normally, if you are using dynamic routing protocol, you can use distribute-list to block the tunnel destination address to be reached via the tunnel itself. It is a little bit tricky to do it with static route. Can you provide a more detail topology with all the networks?


HTH,

jerry

Edison Ortiz Fri, 09/12/2008 - 11:42
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

As Jerry stated, you are using the tunnel to reach 10.4.0.0/24 from Site2 and 10.1.0.0/24 from SiteA.


At the same time, you are using the source and destination for the tunnel by using the same subnets.


tunnel source FastEthernet0

tunnel destination y.y.y.y


If you want to correct this issue, you need to use a different subnet/interface as the source/destination tunnel.


How are these locations connected? Serial? If so, use the serial interface IP as the source and the remote serial IP as the destination.


HTH,


__


Edison.


Please rate helpful posts


thomasdzubin Fri, 09/12/2008 - 11:55
User Badges:

OK, maybe I'm having the end-of-week brain problems, but I WANT my tunnel to go between my two WAN interfaces...FastEthernet0 is connected to the ISP on both routers


site1:

FastEthernet0 has IP of x.x.x.x

Vlan1 has IP of 10.1.0.1


site2:

FastEthernet0 has IP of y.y.y.y

Vlan1 has IP of 10.4.0.1


I don't understand why I WOULDN'T want my tunnel to be

interface Tunnel0

source FastEthernet0

destination x.x.x.x (or y.y.y.y the other router)


Sorry for the dumbness on my end...but I'm really trying to understand.


I'm using tunnels because my private LANs 10.1.0.x and 10.4.0.x aren't routable on the public Internet.


Edison Ortiz Fri, 09/12/2008 - 12:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you modify your ip routes as followed:


ip route 10.1.0.0 255.255.255.0 tunnel0

ip route 10.4.0.0 255.255.255.0 tunnel0


and post back with results?


HTH,


__


Edison.

thomasdzubin Fri, 09/12/2008 - 12:20
User Badges:

Actually, that's one of the many things that I tried before I started posting here.

Same results... the tunnel is up and both ends of the tunnel are PINGable from the other side, but as soon as I add an "ip route" statement, the tunnel goes down and I get the "recursive routing" error in the log.


singhsaju Fri, 09/12/2008 - 12:25
User Badges:
  • Silver, 250 points or more

Hi Thomas,

Can you remove keepalives from the tunnel and then add routes?


interface Tunnel0

no keepalive 10 3

Edison Ortiz Fri, 09/12/2008 - 12:37
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I can't duplicate your problem so I believe there is something wrong with the IOS you are running or there is a piece of the configuration that is missing.


I put a little lab together to emulate your environment and I'm attaching output commands for your perusal.





Attachment: 
thomasdzubin Fri, 09/12/2008 - 12:46
User Badges:

Thanks for your help. I going to call it a day and go home and have some tea. (perhaps with some Baily's added)


Probably on Monday, I'm going to do a "write erase" and try again with a fresh mind.



thomasdzubin Fri, 09/12/2008 - 13:03
User Badges:

I'm an idiot! Yes, there was something else in the config that caused it to fail.

I turned on "debug ip routing" and "debug tunnel" and saw a message with an IP that shouldn't have been there and I found an "ip nat outside source static" statement from a previous trial config. I removed it and VOILA it works!

Sorry about that.


Correct Answer
Edison Ortiz Fri, 09/12/2008 - 13:07
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Like I stated before, there was something in the config that was causing it.


You could've saved a lot of time by posting the whole config.


Replacing public IPs with non-routable IPs to protect the security of your network while posting in these forums should not have taken you long - search and replace in notepad does wonders :)


Glad you found the problem and thanks for the post back and rating.


Regards,



Edison.

Actions

This Discussion