cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21055
Views
0
Helpful
16
Replies

IPSec Tunnel up but cannot ping remote Tunnel IP

alfonso.cornejo
Level 3
Level 3

Hi,

I have configured a gre IPSEC tunnel and everything was working fine but suddenly i can't ping the tunnel ip address anymore, the two tunnels are showed as UP/UP, here is the configuration:

***Branch***

crypto isakmp policy 10
encr 3des
authentication rsa-encr
group 2
crypto isakmp keepalive 3600

crypto ipsec transform-set xxx-trans-3des esp-3des esp-sha-hmac

crypto key pubkey-chain rsa
addressed-key 10.233.172.1 encryption
  address 10.233.172.1
  key-string
   **** key ****
  quit

crypto map mapa 502 ipsec-isakmp
set peer 10.233.172.1
set transform-set xxx-trans-3des
match address lista
qos pre-classify

interface Tunnel502
bandwidth 4000
ip address 10.233.217.182 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source FastEthernet0/0
tunnel destination 10.233.172.1
service-policy output ring-tunnels

interface FastEthernet0/0
ip address 10.233.172.3 255.255.255.192
duplex full
speed 100
negotiation auto
arp timeout 900
crypto map rsvtu62-baa01-7206


ip access-list extended lista
permit gre host 10.233.172.3 host 10.233.172.1

***Central Site***

crypto isakmp policy 10
encr 3des
authentication rsa-encr
group 2
crypto isakmp keepalive 3600

crypto ipsec transform-set xxx-trans-3des esp-3des esp-sha-hmac

crypto key pubkey-chain rsa
addressed-key 10.233.172.3 encryption
  address 10.233.172.3
  key-string
   **** key ****
  quit

crypto map mapa 502 ipsec-isakmp
set peer 10.233.172.3
set transform-set xxx-trans-3des
match address lista
qos pre-classify

interface Tunnel 502
bandwidth 4000
ip address 10.233.217.181 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source GigabitEthernet0/2
tunnel destination 10.233.172.3
service-policy output ring-tunnels

ip access-list extended lista
permit gre host 10.233.172.1 host 10.233.172.3

If i remove the crypto map from the wan interface the tunnel goes down, if i put it again it goes up and the crypto session is stablished but i can't ping from the branch the ip address 10.233.217.182 of the central site.

Any ideas?

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Sorry for mis-understood your question before. I see what problem you are having, can you post the output of

show crypto isa sa

I want to see where the crypto fails.

Regards,

jerry

View solution in original post

16 Replies 16

Jerry Ye
Cisco Employee
Cisco Employee

You didn't post your routing configuration and I am not sure why you can't ping.

You should not be able to ping the tunnel destination through the tunnel, this will cause recursive routing and the tunnel will flap. You can try to source the ping from the F0/0, this should work, assuming your routing is correct and not transit firewall blocking it.

ping x.x.x.x source f0/0

HTH,

jerry

Hi,

My network is a fibber ring and i have normal connectivity between my wan interfaces and actually the tunnel shows UP/UP in both sides, the problem is that suddenly if i use encryption i can't ping the tunnel ip address between the two locations, if i remove encryption the tunnel gets UP/UP again and i can ping.

The encryption configuration has not been changed since it was installed and for like a month it has been working fine until now.

Thanks...

Sorry for mis-understood your question before. I see what problem you are having, can you post the output of

show crypto isa sa

I want to see where the crypto fails.

Regards,

jerry

Hi, here is the output:

sh cry isa sa

dst                         src                    state          conn-id          slot          status

10.233.172.1        10.233.172.3     QM_IDLE         3               0               ACTIVE

You crypto show command output looks fine.

And I just went over the config and this is my question, your crypto map name doesnt match the crypto map applied to the WAN interface for the Branch? I can't see the Hub site config for the WAN interface since you didn't attach it.

crypto map mapa 502 ipsec-isakmp
set peer 10.233.172.1
set transform-set xxx-trans-3des
match address lista
qos pre-classify

interface FastEthernet0/0
ip address 10.233.172.3 255.255.255.192
duplex full
speed 100
negotiation auto
arp timeout 900
crypto map rsvtu62-baa01-7206

Can you confirm?

Regards,

jerry

Hi,

Sorry that was a type error, this is the right one:

crypto map mapa 502 ipsec-isakmp
set peer 10.233.172.1
set transform-set xxx-trans-3des
match address lista
qos pre-classify

interface FastEthernet0/0
ip address 10.233.172.3 255.255.255.192
duplex full
speed 100
negotiation auto
arp timeout 900
crypto mapa

interface GigabitEthernet0/2
ip address 10.233.172.1 255.255.255.192

duplex full
speed 1000
media-type gbic

This is a weird problem, i have other routers with exactly the same configuration and everything is fine...

What i did is an IOS upgrade and so far is working fine but I'll be monitoring it

any other ideas?

Thanks !

Oh, so after you did a IOS upgrade everything is fixed? What was the IOS version before and after?

Regards,

jerry

Hi,

After: c2800nm-advipservicesk9-mz.124-25a.bin

Before: c2800nm-advipservicesk9-mz.124-25b.bin

So far is working...

There are couple crypto bugs on the 12.4(25a) but nothing match your description.

Glad that it works after the upgrade.

Regards,

jerry

Hi,

That's correct...well i'll see how it works.

Thanks alot for your comments!

Regards,

Alfonso

Hi,

The problem is there again, it seems that it is not an IOS problem, i had to remove the encryption in order to have the branch working...is the same situation...any ideas of what else to check ?

Any error, traceback, etc. in the log? I am also interested if you leave crypto inplace, and do a clear crypto isa sa to see the behavior.

Regards,

jerry

Hi jerry,

The problem is there again, what i did is that i regenerate the rsa key on my branch router and everything came up, i could ping the ip address of the tunnel and everything was ok but 24hrs later the same situation was there again, i can't ping the ip address of the remote tunnel and this time I regenerate the key again but it didn't work.

Ip did some debugs but there are no erros msg and also the clear crypto isa sa that you suggest but i can't find anything that shows me what is happening, here i attach the debug outpunt in case you can take a look.

Thanks in advance!

I see the following errors in the debug file but I am not 100% sure this is causing your router not able to re-key the crypto tunnel

Dec  8 10:09:49: ISAKMP:(0:1:SW:1):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Dec  8 10:09:49: ISAKMP:(0:1:SW:1):SA is doing RSA encryption authentication using id type ID_IPV4_ADDR

And please take a look at the following troubleshooting link to manually import the key to the remote router

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008023ce5b.shtml#proc

Regards,

jerry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: