I do have a site where we have got internet connection via ethernet port. We did make an ipsec over GRE tunnel from that site to our HO in US.
Router model Cisco 2821 at the remote site and 3845 at HO.
We have got another internet link onto the serial port of the router and made another IPSec over GRE Tunnel to HO router through this link.
The setup running fine. But recently we are having connection issues from the service provider which is providing internet connection via the ethernet port. When that service goes down our EIGRP relationship done over these GRE tunnels is breaking up and we are losing reachability to the site. We have to reach via the second internet link, clear the routes and then only the traffic reachablity is resuming.
My question is to avoid these I want to configure keepalive on the tunnel interface which is being used by the Ethernet internet connection. The tunnel line protocol stays down as and when i configure keepalive on it. but where as the other tunnel being used by the serial internet connection takes the keepalive configuration and working fine.
Yes am using EIGRP between these tunnels and the HO.
The average response time is around 250 msec.
I am giving a keepalive at every 2 seconds and 2 retry limits.
Its working fine with these settings on the tunnel which is created via the serial based internet link.
But the tunnel stays down with even a keepalive of 10 seconds on the one which is created via the ethernet based internet link.
Is any of the tunnels destination learned over EIGRP over the other tunnel, please do an ip route check for both tunnels destination ?
I believe that it would help us understand the issue and give you better advice if you would post the configs of the routers.
Are you able to trace from one router to other router, please check this, this will clear about our routing part.
please also send me digram of the network , this will help me to understand the issue.
Can you remove the GRE from the ACL to perform the test (i.e. ICMP) between source and destination to make sure that IPSEC fires up when there is interesting traffic between source and destination?
access-list 110 permit host 220.127.116.11 host 18.104.22.168
access-list 120 permit host 22.214.171.124 host 126.96.36.199
access-list 124 permit host 188.8.131.52 host 184.108.40.206
access-list 110 permit host 220.127.116.11 host 18.104.22.168
access-list 120 permit host 22.214.171.124 host 126.96.36.199
access-list 140 permit host 188.8.131.52 host 184.108.40.206
Always include in the ACL other port for testing purposes (i.e. ICMP) to help you in troubleshooting in the future.
Your idea to put keepalive is good. This is beneficial when you have IP GRE Tunnel (backup or primary link). Without it, when IP GRE Tunnel link is down in one site, the other site IP GRE Tunnel will remain up/up without the keepalive.
I beleive your question was abt keepalive.
in serial connection its your rotuer to router. hence keepalive working.
but on ehternet keeplalive not working bcos service provider switch not supporting it.