I currently have 33 sites that have GRE tunnels which terminate at a central location in a hub and spoke configuration. Almost all sites have the IOS up to date and routers range from 1721's and 2600's to 3620's. I have been trying to come up with an answer as to why, on a pretty good majority of the sites, there are output drops on the GRE tunnels to the hub office. Traffic on the tunnel is normally not more than a 1/4 to 1/2 of the bandwidth and never peaks above that.
Could anyone give me an educated guess or theory as to what could be causing or why I may be getting output drops on a tunnel interface? There doesn't seem to be any effect on the performance at each site but I would like to get a handle on this before it happens to get out of hand.
I have a similar setup. 33 remote sites with 2621's and 10 remote sites with 2650's. My headends are 7206VXR's.
I'm running OSPF over the GRE tunnels. I am seeing the OSPF neighbor relationship intetrmittently drop over the tunnels - ospf just shows that the dead timer expired. Debugs show that the IPSEC relationship drops over the tunnel causing the OSPF adjacency to time out.
One thing that was suggested to me (I haven't implemented yet - want to test in a lab enviroment first) is that the tunnel interfaces should not have the crypto map tied to them. Starting
on IOS code 12.2.13T the crypto map should only be applied to the physical interface.
Thanks for your response, however I'm not running IPSEC over GRE, just a plain GRE tunnel so I have no crypto maps to deal with. It's a strange thing but it doesn't seem to be causing any harm at the moment so I may just let it alone.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :