Back-to back connectivity problem

Answered Question
Jul 11th, 2009
User Badges:

Dear Friend,

I have a setup in which a cisco 3845 is connected with 15 cisco 2851 routers with leased line.I'm using GRE tunnel with IPSEC for security between router's serial link connectivity.All is working fine. data is encrypt and decrypt properly.

Now i have to use 2 cisco 3845 routers for load balancing.

I'm getting serious problem with bac-to-back connectivity with giabitethernet ports.I have done some tests but failed to ping all locations. I'm only able to ping gigethernet port which are directly connected.


Test-1

I have used default routes in straight and croos cable.only directly connected gig port is pinging.

ip router 0.0.0.0 0.0.0.0 gigbitethernet0/0

Test-2

I have used ospf routing on straight and cross cable between gig ports. -same condition.

router ospf 100

network 170.128.0.0 0.0.0.255 area 0

Test-3

I have used same GRE tunnel with IPSEC between gig ports which are directly connected.Configuration is attached in text format.-Same condition

Can you please anyone tell me what i have to do for proper routing.?

Any suggestion will be apprecianble.


Regards,

Siddhartha




Correct Answer by Giuseppe Larosa about 8 years 1 week ago

Hello Siddhartha,


>> I'm really very confuse.I'm new to do it.


do the following


R1:


int gi0/0

no crypto map VPN-BACK_TO_BACk


int tu15

no crypto map VPN-BACK_TO_BACk

shut


router ospf 100

network 170.128.0.0 0.0.0.255 area 0


Do the same on R2


then post

sh ip ospf neigh


eventually use

term mon

debug ip ospf adj



>> Most helpful thing will be that if you test this environment


This is not possible I'm taking care of a real network.


However, if you simplify the setup you can see what is correct and what is wrong.


By the way I wouldn't put the crypto map inside the tunnel interface for me this is wrong : the GRE is the traffic that has to be encrypted


Hope to help

Giuseppe




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Sat, 07/11/2009 - 00:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Siddhartha,


I see the same ip address

ip address 170.128.0.10 255.255.255.0


assigned to both R1:g0/0 and R2:g0/0


change one of them in

170.128.0.x with x ne 10


Hope to help

Giuseppe


siddindia Sat, 07/11/2009 - 02:03
User Badges:

Dear Giuseppe,

It was by mistake.

i'm using 170.128.0.1 and 170.128.0.10 in bith gig ports.but i'm able to routing.


Please help me

Giuseppe Larosa Sat, 07/11/2009 - 02:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Siddhartha,


>> I'm only able to ping gigethernet port which are directly connected.


I see it was just a typing mistake in preparing the file you've attached.


If you want to make one device aware of networks learned by other device on GRE tunnels and you trust the GE link remove the crypto map on the GE ports.


Have the two routers build an OSPF adjacency


start without MD5 authentication


it is better to divide the work in multiple steps.


1)

OSPF adjacency without MD5

put a network area command in the same OSPF process used on the GRE tunnels.


check with

sh ip ospf nei


verify R2 learns routes of remote devices only connected to R1.


Then later you can add complexity, if you can trust the environment where the two routers are you don't need a VPN between them.


Trying to configure all at once can be a source of problems.


Hope to help

Giuseppe


siddindia Sat, 07/11/2009 - 02:36
User Badges:

Hi Giuseppe ,

I'm really very confuse.I'm new to do it.

Kindly tell me what i have to do step-by-step with configuration command.

Most helpful thing will be that if you test this environment before sending.Please..


Siddhartha





Correct Answer
Giuseppe Larosa Sat, 07/11/2009 - 02:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Siddhartha,


>> I'm really very confuse.I'm new to do it.


do the following


R1:


int gi0/0

no crypto map VPN-BACK_TO_BACk


int tu15

no crypto map VPN-BACK_TO_BACk

shut


router ospf 100

network 170.128.0.0 0.0.0.255 area 0


Do the same on R2


then post

sh ip ospf neigh


eventually use

term mon

debug ip ospf adj



>> Most helpful thing will be that if you test this environment


This is not possible I'm taking care of a real network.


However, if you simplify the setup you can see what is correct and what is wrong.


By the way I wouldn't put the crypto map inside the tunnel interface for me this is wrong : the GRE is the traffic that has to be encrypted


Hope to help

Giuseppe




siddindia Sun, 07/12/2009 - 22:27
User Badges:

Hi Giuseppe ,

I'm very thankfull to you.Your sulution really help.

I have erase all security from both routers for BAC-to back connectivity and also i have erase OSPF authentication key from both gig ports.

Now all things are working fine.


Thanks,

siddhartha

Actions

This Discussion