one of our remote branch has an issue that they cannot reach our local network. The logical configuration between these two locations are GRE over IPSec tunnel. The scenario is quite strange. Because we can reach any remote host but not the tunnel interface and from the remote location neither the tunnel interface or any host is reachable. The following troubleshoot I have done:
after disable ip cef I didn't see the message 'adjacency fixup'. But it doesn't solve the issue. I check with adjust tcp-mss as well as mtu settings. But until now no hope I have seen. So I would look for further assist.
The main problem is that your crypto-ACLs are wrong. You only have to specify the GRE-traffic from tunnel-endpoint to tunnel-endpoint. And the crypto-map has to be applied only on the physical interface and not any more on the tunnel itself (that was done with older releases but not now anymore).
EDIT: And your MSS is probably still too big as the tunnel-overhead can be more then 48 Bytes. I would use 1360 to be on the safe side.
Are you using transport-mode in your transform-set? That can be used with GREoverIPSec to reduce the overhead by 20 Bytes.
thanks for your quick assist. The router has different crypto-maps associated with different tunnels and for that reason it is not applied on the physical interface. It has a older version ios. So it might not be an issue for it. I appreciate your suggestion about mss and I reduce to 1360. But still there is no luck until now. We are using without transport-mode. Very soon we will upgrade and implement DMVPN. But now we are not able change the configuration because of downtime on several locations which have the same type of VPN onfigurations like this one and working without any issue.
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(22)T5
info: From my location (hub side) I can ping any remote host except the tunnel interface. So what I understand there shouldn't be any cause for crypto map issue.
I completely agree with Karsten's assessment of the situation. You are not running older IOS version at all - the crypto maps on Tunnel interfaces were required in IOS versions before 12.2(13)T. Your IOS version is newer by multiple generations.
You should indeed follow Karsten's advice and both correct the ACLs (they should only match the GRE traffic), and remove the crypto maps from your tunnel interfaces.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...