GRE Tunnel won't come up?

Chrisb6122 · ‎01-30-2012

Hi,

I'm having a bit of a strange issue getting a single GRE tunnel to come up between my head office and a remote site. I'll be the first to admit, I'm quite new to new to setting up vpn's and the like so forgive me if I'm missing anything painfully obivious. The head office has around 14 different connections coming off all setup the same way with an IPSec VPN with a GRE tunnel to encrypt the data.

Headoffice#sh run int t52

interface Tunnel52

description Primary

bandwidth 1024

ip address 172.29.0.209 255.255.255.252

ip access-group pla_in in

no ip unreachables

ip rip advertise 15

tunnel source Loopback0

tunnel destination 172.28.0.33

tunnel path-mtu-discovery

!

Headoffice#sh ip int t52

Tunnel52 is up, line protocol is down

Internet address is 172.29.0.209/30

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1476 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.9

Outgoing access list is not set

Inbound access list is pla_in

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are never sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP Feature Fast switching turbo vector

IP Feature CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

interface Loopback0

ip address 172.28.255.1 255.255.255.255

!

remoteoffice#sh run int t52

Building configuration...

Current configuration : 206 bytes

!

interface Tunnel52

description Plastica primary P2P GRE tunnel over IPsec VPN

ip address 172.29.0.210 255.255.255.252

ip rip advertise 15

tunnel source Loopback1

tunnel destination 172.28.255.1

end

remoteoffice#sh ip int t52

Tunnel52 is up, line protocol is up

Internet address is 172.29.0.210/30

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1476 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.9

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

interface Loopback1

ip address 172.28.0.33 255.255.255.255

!

I can post more information if needed but I'm a tad stuck on this one, the routing I believe is correct as are the ACL's.

I would be most greatful for any help!

Calin C. · ‎01-30-2012

Hello,

Do a simple test first,

From the HQ to Remote office, can you ping the tunnel destination using tunnel source?

e.g. ping 172.28.0.33 source 172.28.255.1

You can try also viceversa, but if you don't have some fancy firewall in place one direction should be enough to test.

If it's not working, then here is your first step to troubleshoot.

Let us know and we can continue to give you some advices.

HTH,

Calin

Chrisb6122 · ‎01-30-2012

Thank you,

this is from HQ

#ping 172.28.0.33 source 172.28.255.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.28.0.33, timeout is 2 seconds:

Packet sent with a source address of 172.28.255.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms

this is from the remote office

#ping 172.28.255.1 source 172.28.0.33

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.28.255.1, timeout is 2 seconds:

Packet sent with a source address of 172.28.0.33

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/64 ms

Looks like they can ping but the tunnel still shows as down at the HQ?

Thanks

Chris

Calin C. · ‎01-30-2012

Hello,

On HQ, what do you have here in ACL pla_in ?

Take it out for some seconds. Is the interface coming up?

Calin

Chrisb6122 · ‎01-30-2012

Hi,

The pla_in ACL has the following in it,

ip access-list extended pla_in

remark 1 Permit traffic between associated networks

remark 1 na

remark 2 Permit return traffic berween connected networks

permit icmp 172.29.0.0 0.0.255.255 172.29.0.0 0.0.255.255 echo-reply

permit tcp 172.29.0.0 0.0.255.255 172.29.0.0 0.0.255.255 established

remark 3 Permit GRE between tunnel endpoints

permit gre 172.28.0.0 0.0.255.255 172.28.0.0 0.0.255.255

remark 4 Permit RIP from tunnel networks to RIP routers

permit udp 172.29.0.0 0.0.255.255 host 224.0.0.9 eq rip

remark 5 Deny traffic to non hosted private networks

deny ip any 10.1.2.0 0.0.1.255

deny ip any 172.16.0.0 0.15.255.255

remark 6 Permit traffic from associated and connected networks to hosted networks

permit ip 172.19.18.32 0.0.0.7 10.0.0.0 0.255.255.255

permit ip 172.29.0.0 0.0.255.255 10.0.0.0 0.255.255.255

remark 7 Permit traffic from associated networks to Internet

remark 7 na

remark 8 Deny (or log) everything else

deny ip any any

I've removed the ACL but its still not coming back up.

Thanks

Chris

Kishore Chennupati · ‎01-30-2012

Hi,

on your tun interface on router the description says GREoIPsec. So, are you running GREoIPsec?

Does your encryption domain have the appropriate subnets in there. Is the interresting traffic configured properly

can you so a sh cryp ipsec sa

Might be good idea to attach the ful config here

Regards

Kishore

Chrisb6122 · ‎01-30-2012

Think so, the IPSec VPN terminates on a firewall prior to letting the interesting traffic through to the router where the GRE tunnel terminates.

remote office#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

195.200.145.227 81.5.131.153 QM_IDLE 1001 0 ACTIVE

#sh crypto ipsec sa

interface: Dialer1

Crypto map tag: vpnmap, local addr 81.5.131.153

protected vrf: (none)

local ident (addr/mask/prot/port): (172.28.0.33/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.28.255.0/255.255.255.0/0/0)

current_peer 195.200.145.227 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 265, #pkts encrypt: 265, #pkts digest: 265

#pkts decaps: 210, #pkts decrypt: 210, #pkts verify: 210

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

local crypto endpt.: 81.5.131.153, remote crypto endpt.: 195.200.145.227

path mtu 1500, ip mtu 1500

current outbound spi: 0xC5DB17A9(3319469993)

inbound esp sas:

spi: 0xABF5BC53(2885008467)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: C87X_MBRD:3, crypto map: vpnmap

sa timing: remaining key lifetime (k/sec): (4493568/823)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC5DB17A9(3319469993)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: C87X_MBRD:4, crypto map: vpnmap

sa timing: remaining key lifetime (k/sec): (4493553/822)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2

Crypto map tag: vpnmap, local addr 81.5.131.153

protected vrf: (none)

local ident (addr/mask/prot/port): (172.28.0.33/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.28.255.0/255.255.255.0/0/0)

current_peer 195.200.145.227 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 265, #pkts encrypt: 265, #pkts digest: 265

#pkts decaps: 210, #pkts decrypt: 210, #pkts verify: 210

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

local crypto endpt.: 81.5.131.153, remote crypto endpt.: 195.200.145.227

path mtu 1500, ip mtu 1500

current outbound spi: 0xC5DB17A9(3319469993)

inbound esp sas:

spi: 0xABF5BC53(2885008467)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: C87X_MBRD:3, crypto map: vpnmap

sa timing: remaining key lifetime (k/sec): (4493568/821)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC5DB17A9(3319469993)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: C87X_MBRD:4, crypto map: vpnmap

sa timing: remaining key lifetime (k/sec): (4493553/820)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Please see the attached file for the remote office.

Thanks

Chris

Kishore Chennupati · ‎01-30-2012

Hi,

You need to allow GRE on the firewall. Please check if port 47 is allowed on the firewall

Cheers

Kishore

Kishore Chennupati · ‎01-30-2012

I mean protocol 47 not port ;)

Chrisb6122 · ‎01-30-2012

Thank you,

I believe it's allowed through because as i say atleast 14 other sites are working fine using the same setup,

This is all the information relating to the remote office on the firewall

access-list outside_cryptomap_9000_remote office extended permit ip 172.28.255.0 255.255.255.0 host 172.28.0.33

crypto map outside_map 9000 match address outside_cryptomap_9000_remote office

crypto map outside_map 9000 set pfs group5

crypto map outside_map 9000 set peer 81.5.131.153

crypto map outside_map 9000 set transform-set AES256

I'm still at a loss of what could be wrong here.

Kishore Chennupati · ‎01-30-2012

just checking your remote site confguration.

interface Loopback1

description terminates GRE tunnels over IPsec

ip address 172.28.0.33 255.255.255.252 <<<< shouldnt this be a /32??

because in your interesting traffic on the frewall your remote subnet in encryption domain is host 172.28.0.33 which is a /32 address

Also the ACL on the remote site is

ip access-list extended protected

permit ip host 172.28.0.33 172.28.255.0 0.0.0.255 <<< your saying host but your loopback is configured as /30

change the loopback address to a /32 and see if that helps

HTH

Kishore

Chrisb6122 · ‎01-30-2012

Thanks Kishore,

I've changed both of those addresses to be /32

so they now read

ip address 172.28.0.33 255.255.255.255

permit ip host 172.28.0.33 172.28.255.0

I still can;t even ping the inside interface (172.19.18.37) from the HQ router.

Thanks again

Chris

Kishore Chennupati · ‎01-30-2012

Is the Tunnel up on both ends. ? Can you ping the Tunnel interfaces from each site?

can you see the RIP routes being advertised at both ends?

Also is the vlan 1 interface up on the remote router?? because on some low end routers if nothing is plugged into the ethernet ports then the Vlan1 remains down (line protocol)

can you execute the below commands on HQ and Remote router paste the results here

HQ

sh ip rip database 172.19.18.37

sh ip route 172.19.18.37

Remote

sh ip int brief

sh ip rip database 172.19.18.37

sh ip route 172.19.18.37

Just out of curiosity is this a Cisco 837 or a 877?

Cheers

Chrisb6122 · ‎01-30-2012

Thanks again for your reply.

The tunnel is only up up on the remote end, at HQ its only showing as up down. The remote end router isa cisco 877.

I can ping successfully 172.28.255.1 from 172.28.0.33 and vice a versa.

The vlan is up (I did have to go check though)

HQ

HQ#sh ip rip database 172.19.18.37 255.255.255.252

%Route not in database

HQ#sh ip route 172.19.18.37

Routing entry for 172.16.0.0/12, supernet

Known via "static", distance 1, metric 0

Redistributing via ospf 1024, rip

Advertised by ospf 1024 subnets

rip

Routing Descriptor Blocks:

* 10.3.2.254

Route metric is 0, traffic share count is 1

Remote

Remote#sh ip int brief

Interface IP-Address OK? Method Status Prot

ocol

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset up down

FastEthernet2 unassigned YES unset up down

FastEthernet3 unassigned YES unset up down

ATM0 unassigned YES NVRAM up up

Vlan1 172.19.18.37 YES NVRAM up up

Tunnel52 172.29.0.210 YES NVRAM up up

Loopback1 172.28.0.33 YES NVRAM up up

Loopback0 unassigned YES NVRAM up up

Dialer1 81.5.131.153 YES NVRAM up up

Virtual-Access1 unassigned YES unset up up

Virtual-Access2 unassigned YES unset up up

Remote#sh ip rip database 172.19.18.37 255.255.255.252

%Route not in database

Remote#sh ip route 172.19.18.37

Routing entry for 172.19.18.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via rip

Advertised by rip

Routing Descriptor Blocks:

* directly connected, via Vlan1

Route metric is 0, traffic share count is 1

Thanks again for your help!

Chris

Chrisb6122 · ‎02-01-2012

Thanks for all your help.

The problem has now been resolved.

The issue was an incorrect subnet mask placed on the VLAN interface at the remote end, once it was changed to a /28 rip learned the proper network and started to transmit data.

Thanks for your help.