I have shut down the dialer interface

the frequency of flapping is every 2hrs

Regards

Gopi

Hi, I am attaching the router logg message of remote site

Aug 10 17:28:19: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 195.75.9

7.209:4500 Id: 195.75.97.209

Aug 10 17:28:19: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 195.75.9

7.209:4500 Id: 195.75.97.209

Aug 10 17:30:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel160, chan

ged state to down

Aug 10 17:30:19: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 165.204.14.205 (Tunn

el160) is down: interface down

Aug 10 17:31:28: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 195.75.9

7.209:4500 Id: 195.75.97.209

Aug 10 17:31:28: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 195.75.9

7.209:4500 Id: 195.75.97.209

Aug 10 17:31:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel160, chan

ged state to up

Aug 10 17:32:36: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 165.204.14.205 (Tunn

el160) is up: new adjacency

Your crypto map is applied on the GRE tunnel and F0/1. IT should be applied only on the F0/1. You can have only one instance of the same IPSEC tunnel UP!

Let me know if this solved the problem,

Regards,

Hi, I will remove crypto map GRE from tunnel interface

but i have one doubt there are all other sites running from HUB side router, which are running without any problem

Attaching one configuration for reference

HUB Side:

interface Tunnel150

description Primary GRE to Milan

bandwidth 512

ip address 165.204.14.105 255.255.255.252

ip mtu 1400

ip route-cache flow

ip tcp adjust-mss 1360

no ip mroute-cache

load-interval 30

delay 1000

shutdown

qos pre-classify

keepalive 5 5

tunnel source FastEthernet0/1

tunnel destination 194.196.23.242

crypto map GRE

REMOTE Side:

interface Tunnel152

description Primary GRE to drsfso-vpn1

bandwidth 2048

ip address 165.204.14.110 255.255.255.252

ip mtu 1400

ip route-cache flow

ip tcp adjust-mss 1360

no ip mroute-cache

load-interval 30

delay 1000

qos pre-classify

keepalive 5 5

tunnel source FastEthernet0/1

tunnel destination 195.75.97.209

crypto map GRE

Regards

Gopinath.V

Well, GRE will be passed based on the source and destination of the tunnel. I don't think the crypto map is matching the GRE on the tunnel. When traffic reaches the GRE it is clear IP packet. When it wants to leave the GRE tunnel from the source to the destination it is encapsulated by GRE. Therefore, your crypto map should be applied on the source of the GRE because here where the match would happen.

IN your configuration the crypto map applied on the F0/0 is matching traffic not the crypto map applied on the GRE tunnels.

Try removing the crypto map from the GRE tunnels and you will see that the IPSEC tunnel will still pass traffic which validates what I am saying.

Let me know if removing the crypto map solves the prob,

Regards,

Hello,

I am eager to know what is the status?

Thanks,

Hi, Yes i have removed the crypto map from the tunnel & applied only in Fastethernet but the tunnel is still flapping

with the same log messages:

Aug 14 17:28:55: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 165.204.14.205 (Tunn

el160) is down: interface down

Aug 14 17:29:33: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 195.75.9

7.209:4500 Id: 195.75.97.209

Aug 14 17:29:33: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 195.75.9

7.209:4500 Id: 195.75.97.209

Aug 14 17:29:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel160, chan

ged state to up

Aug 14 17:30:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 165.204.14.205 (Tunn

el160) is up: new adjacency

Configuration Detail

dubai-vpn1#sh running-config interface tunnel 160

Building configuration...

Current configuration : 388 bytes

!

interface Tunnel160

description Primary GRE to drsfso-vpn1

bandwidth 512

ip address 165.204.14.206 255.255.255.252

ip mtu 1400

ip hello-interval eigrp 1 40

ip hold-time eigrp 1 220

ip route-cache flow

ip tcp adjust-mss 1360

no ip mroute-cache

load-interval 30

delay 1000

qos pre-classify

keepalive 20 5

tunnel source FastEthernet0/1

tunnel destination 195.75.97.209

end

Regards

Gopinath.V

Hello,

I checked the whole config and found that what is happening is correct. If you look at the configuration who have set the life time of the SA to be 7200 which equivalent to 2hours. Make sure you have the same SA life time on both sides!

One thing to try is increase the life time to 28800 and you will see that the IPSEC will not time out after 2 hours or 7200 seconds.

Please let me know what happens,

Regards

Hello,

I checked the whole config and found that what is happening is correct. If you look at the configuration you have set the life time of the SA to be 7200 which equivalent to 2hours. Make sure you have the same SA life time on both sides!

One thing to try is increase the life time to 28800 and you will see that the IPSEC will not time out after 2 hours or 7200 seconds.

Please let me know what happens,

Regards

Hi, I have changed the lifetime setting at both the side to 28800

tunnel is up since 45min

let you know the result

Regards

Gopinath.V

Hi, inspite of changing the lifetime to 28800 at both end

the tunnel is still flapping almost every 2hrs

the log message is also same

Regards

Gopinath.V

Hello,

Can you attach the HUB site config. I can see nothing wrong on the Spoke site!

Regards,

Hi, as you requested attaching the configuration

Regards

Gopinath.V