I have 50 GRE tunnels setup on one router that goes out to 50 remote sites. One site has two tunnels, one for primary and one for backup. The backup tunnel is not coming up. The access-list is incrementing but the show crypto isamp sa says mm_no_state and deleted. When I do show crypto IPsec sa I get send errors on the peer. Any suggestions on what could be wrong?
Am I understanding correctly that you have only a single head end router and that the one remote site has configured two tunnels from that remote router to the same head end router?
From a GRE perspective I think you could get this to work as long as either the source address or the destination address used different interfaces on their respective router (perhaps one is FA0/0 and the other is FA0/1 or something like that). But from a crypto/IPSec perspective this does not work. You can build only a single peer relationship and set of Security Associations to a remote router.
Can you explain why this remote is trying to use two tunnels if it is the same source router and the same destination router? If it is because the remote actually has two different exit interfaces perhaps you could build two tunnels and do the crypto peering on a loopback interface of the remote router?
Thanks for the reply Rick, but I don't think I explained it well enough. There is a Host site and a DR site. The remote site has a tunnel to each location. I have about 50 sites setup this way but this one site I am having a problem with. I am looking for some help trying to determine the problem with the configuration. The configuration for the two tunnels looks the same (besides the different IP addresses) however when I do a show crypto isakmp sa it shows the tunnel as MM_No_STATE
When I do a show crypto ipsec sa it has send errors. A long time ago I remember finding a troubleshooting guide for this but I can't seem to find it anymore.
Thanks for the clarification. Clearly I did not correctly understand the environment. Do all 50 siltes have two tunnels or is it only this one? Can you post the config from the router having the problem (disguising public addresses etc)? Perhaps that will help us identify the problem.
Thanks for your help I figured out today that the DSL modem provided by the vendor has a firewall feature turned on that was blocking the traffic. After that was removed the tunnel came up fine.
I am glad that you have solved the issue. Thank you for posting back to the forum to let us know that it is solved and what the problem turned out to be.
Host end that isn't working
crypto isakmp key XXX address XXXX
crypto isakmp policy XXX
crypto map Stuff 10 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set overall
match address overview
crypto ipsec transform-set overall esp-des esp-md5-hmac
ip mtu 1350
ip tcp adjust-mss 1294
crypto map XXX
ip access-list extended XXX
permit gre host XXX host XXXX
Remote that isn't working:
crypto isakmp policy
crypto isakmp key XXX address XXx
crypto ipsec transform-set XXX esp-des esp-md5-hmac
crypto map XX 175 ipsec-isakmp
set transform-set XXX
match address 105
ip mtu 1350
no ip route-cache cef
ip tcp adjust-mss 1294
tunnel source GigabitEthernet0/0
crypto map XXX
access-list 105 permit gre host xxx host
All of the other sites have this same configuration, for some reason this site doesn't work. The ACL is getting hits so I know the requests are coming. I have tried a couple debugs but not see anything specific.
Thanks for the additional information. There are several things that stand out to me as I review what you posted.
- first (and perhaps most important) the remote config that you post has only a single tunnel. I thought that you said that the remote has two tunnels.
- second (and sort of important) you show the crypto map as being applied on the tunnel interface on both routers. The standard for crypto map changed a long time ago to have the crypto map applied on the physical interface and not on the tunnel. Unless you are running really old code this is a problem.
When I said host end that isn't working and remote end that isn't working I meant the tunnels so I didn't include the working tunnels. Also I do have that command on the physical interface also I just didn't copy it in.
You insist on obfuscating things that have no significance, such as the isakmp policy number and the crypto map name and the transform name. And you give us minute pieces of the config that you determine should be significant but not the other parts that might interact. I hope that you find someone else who believes that they can figure out the issue based on the very limited information you choose to supply. But I am done with this thread and your unwillingness to provide the significant information that might allow us to identify your problem.