Solved: GRE Tunnels on a 827

mike.gomez · ‎07-19-2007

Hiya,

I've setup three sites, two with simple DSL connections out to the internet, and all of them with an MPLS line to connect them together.

What I'm needing to get working is a GRE tunnel between the locations over the MPLS so that I can exchange OSPF routes. Basically I'm wanting the routers to forward all internet traffic out location A's DSL connection and if it's down go out another line at location B.

I can basically get all of that to work if I can get these GRE tunnels up (AT&T won't allow just plain OSPF updates through the MPLS lines they provide). The tunnels between location A and location B (1721 at A and a 2801 at B) work perfectly fine. It's only when I try to get a tunnel up from either of those two locations to location C (827 router) that it doesn't work.

I'm not sure if I've got things configured incorrectly, or whether the 827 router just isn't capable of doing GRE. Here's the relevant tunnel configs from each router:

Location A:

interface Tunnel0

ip address 172.18.1.2 255.255.255.0

keepalive 5 4

tunnel source Ethernet0

tunnel destination 192.168.2.1

!

interface Tunnel1

ip address 172.18.3.2 255.255.255.0

tunnel source Ethernet0

tunnel destination 192.168.3.1

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip rip v2-broadcast

ip rip send version 2

ip rip receive version 2

ip ospf network broadcast

Location B:

interface Tunnel0

ip address 172.18.1.1 255.255.255.0

keepalive 5 4

tunnel source FastEthernet0/1

tunnel destination 192.168.0.1

!

interface Tunnel1

ip address 172.18.2.1 255.255.255.0

tunnel source 192.168.2.1

tunnel destination 192.168.3.1

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip helper-address 192.168.0.3

ip inspect Firewall in

duplex auto

speed auto

Location C:

interface Tunnel0

ip address 172.18.3.1 255.255.255.0

tunnel source Ethernet0

tunnel destination 192.168.0.1

!

interface Tunnel1

ip address 172.18.2.2 255.255.255.0

tunnel source 192.168.3.1

tunnel destination 192.168.2.1

!

interface Ethernet0

ip address 192.168.3.1 255.255.255.0

ip helper-address 192.168.0.3

ip flow ingress

ip flow egress

ip virtual-reassembly

no cdp enable

hold-queue 32 in

hold-queue 100 out

I tried taking the keepalives off of the tunnels going to location C just to see if it would bring the tunnel interface up/up. It'll report as up/up on the location B side, but all of location C's tunnels show up/down, even without keepalives set. Can anyone shed some light on this as I'm quickly running out of ideas.

TIA,

Mike

Richard Burts · ‎07-19-2007

Mike

I checked on the Feature Navigator on the Cisco site and I find that the 827 support for GRE depends on the feature set that you are running (and since I do not know what version I can not yet speak whether it is version dependent). In the version that I checked (12.3(22)), the IP feature set (Base feature set) GRE does not show as supported. But in the IP PLUS feature set it does show as supported.

My guess is that your 827 is running the simple IP feature set and does not support GRE. I believe that if you upgrade the 827 to an IP PLUS image that you would get support for GRE.

Having written that, I do admit that I am a bit puzzled. If the feature were really not supported in that image I am surprised that it accepted the commands and did not generate some warning or error. My experience before has been that if I attempt to configure something not supported in that image that it does give messages about it.

So what image is the 827 running? And is a software upgrade possible?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-19-2007

Mike

I believe that your problem is IP connectivity. Probably the most important clue is that even with keepalives removed on router C the tunnels show as up/down. Without keepalive configured the default behavior of GRE tunnels is to show the tunnel as up/up if it has a valid route to the tunnel destination (not that the tunnel destination is necessarily reachable) and to show the tunnel as up/down if it does not have a valid route to the tunnel destination. I believe that router C does not have a valid route to the tunnel destinations.

The easy way to prove this is on router C to do an extended ping and in the extended ping to specify the tunnel destination address of one of the tunnels as the ping destination and to specify the Ethernet 0 (192.168.3.1) as the source. I expect that ping to fail. If it does troubleshoot your IP connectivity problem and if you solve it I believe that your tunnels will work.

HTH

Rick

HTH

Rick

mike.gomez · ‎07-19-2007

The extended pings work, and all other sorts of traffic gets moved around in there just fine. I just can't get the GRE tunnels on the 827 up. Since the tunnel destinations are reachable, and it still shows up/down, what's that mean? Is the 827 just not capable? I've got a spare 1605 router that I've used before with GRE that I could swap it with. It's just that the 827 router is located a couple hours away from me and I don't necessarily want to drive out there if I can avoid it. :)

Thanks!

Mike

Richard Burts · ‎07-19-2007

Mike

I checked on the Feature Navigator on the Cisco site and I find that the 827 support for GRE depends on the feature set that you are running (and since I do not know what version I can not yet speak whether it is version dependent). In the version that I checked (12.3(22)), the IP feature set (Base feature set) GRE does not show as supported. But in the IP PLUS feature set it does show as supported.

My guess is that your 827 is running the simple IP feature set and does not support GRE. I believe that if you upgrade the 827 to an IP PLUS image that you would get support for GRE.

Having written that, I do admit that I am a bit puzzled. If the feature were really not supported in that image I am surprised that it accepted the commands and did not generate some warning or error. My experience before has been that if I attempt to configure something not supported in that image that it does give messages about it.

So what image is the 827 running? And is a software upgrade possible?

HTH

Rick

HTH

Rick

spremkumar · ‎07-19-2007

Hi Rick

From my previous experience though some of the boxes supports GRE tunnel configs it gets into IP/IP mode instead of GRE mode.

The same can be verified using show interface tunnel x under which we can check out the tunnel mode...

If you have different modes on both the ends it wont come up..

regds

mike.gomez · ‎07-20-2007

Ah, it was the IP vs. IP Plus issue. I put a new image on with IP Plus and my tunnels magically came up. It didn't give me any errors or warnings when setting up the tunnels on the old IOS, so it was perplexing.

Thank you so much for your help!

Richard Burts · ‎07-20-2007

Mike

I am glad that you got it to work. It certainly is surprising that it accepted the commands without any sign of a problem if the code version did not support it. That would certainly be perplexing.

Thanks for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read of a problem (especially an unusual problem like this one) and can know that they will read a solution to the problem. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick