VTI beween central site 7606 and remote offices, EIGRP issue?

Unanswered Question
Aug 4th, 2010
User Badges:

Have this weird issue with VTI tunnels on a 7606 running 12.2(33)SRE1 and several remote offices

1. When IPSec communication is established between two remote offices (this is with two VTI tunnels to the 7606), one remote office fails to connect to the other office unless we send the whole EIGRP routes belonging to the remote offices. When only the route is sent from the 7606 to the remote offices, the remote offices can´t communicate between each other.

2. When one remote office is VTI and the other office is a plain GRE tunnel they can´t communicate at all unless we add the tunnel checksum command at either side but we would like to avoid it due to resource consumption

Any help is grately appreciated since we don´t want to send the whole EIGRP table to each and every remote office.

Central Site 7606:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key [email protected] address

crypto isakmp keepalive 60 10


crypto ipsec security-association lifetime kilobytes 1000000

crypto ipsec security-association lifetime seconds 28800


crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac


crypto ipsec profile IPSEC

set transform-set ESP-AES256-SHA

set pfs group5


interface Tunnel1

description to remote office 1

bandwidth 10000

ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 KEY

ip flow ingress

ip flow egress

load-interval 60

delay 100

tunnel source

tunnel mode ipsec ipv4

tunnel destination

tunnel protection ipsec profile IPSEC

max-reserved-bandwidth 100


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jbrenesj2 Mon, 08/09/2010 - 15:44
User Badges:

Help please!

Any ideas why two remote offices can´t communicate between them through a 7606 when one office is VTI tunnel to the 7606 and the other office is plain GRE.

They won´t talk unless the "tunnel checksum" is enable on the GRE connection but since it´s CPU intensive we can´t use it.

Thanks, Jorge


This Discussion