×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

GRE over IPSEC

Unanswered Question
Jan 3rd, 2007
User Badges:

We are running GRE over IPSEC between location A and B. It has been observed that after some time the tunnels go in a hang state and the traffic does not pass through these tunnels.


It has been observed that the tunnels at this time are shown up. After rebooting the router; tunnels come out of a hang state and traffic continues to flow. Reinitialization of tunnel is of no help.


The routers in question is Cisco 3825 with location A c3825-advsecurityk9-mz.124-3e.bin IOS and location B c3825-advsecurityk9-mz.124-3d.bin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lxcollin1 Thu, 01/04/2007 - 22:20
User Badges:

You can try setting a keepalive on the tunnel interface. I have seen a similar problem on VTI interfaces.

srdjanluzajic Mon, 02/05/2007 - 07:03
User Badges:

It sounds like a problem we had on several VPN tunnels. The solution for us was to add


ip mtu 1400

ip tcp adjust-mss 1360


to the tunnel interface.

Danilo Dy Mon, 02/05/2007 - 07:33
User Badges:
  • Blue, 1500 points or more

I never experienced this with my configuration which I use internet as primary link using IP GRE over IPSEC and MPLS as backup link using IP GRE over IPSEC.


The important configuration for IP GRE interface are;

ip mtu 1500 << don't make this lower than 1500 else you will have DF problem.

keepalive 5 4 << this is important in floating static route configuration.


However I do experienced a lot of problem with IPSEC alone without IP GRE.


The important things to take note in IPSEC are;

- RouterA and RouterB configurations should be symmetric.

- RouterA and RouterB should have the same IOS version up to the "letter".

Actions

This Discussion