Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

router to router GRE tunnel

I have 50 GRE tunnels setup on one router that goes out to 50 remote sites.  One site has two tunnels, one for primary and one for backup.  The backup tunnel is not coming up.  The access-list is incrementing but the show crypto isamp sa says mm_no_state and deleted.  When I do show crypto IPsec sa I get send errors on the peer.  Any suggestions on what could be wrong?

 

 

Everyone's tags (2)
9 REPLIES
Hall of Fame Super Silver

Am I understanding correctly

Am I understanding correctly that you have only a single head end router and that the one remote site has configured two tunnels from that remote router to the same head end router?

 

From a GRE perspective I think you could get this to work as long as either the source address or the destination address used different interfaces on their respective router (perhaps one is FA0/0 and the other is FA0/1 or something like that). But from a crypto/IPSec perspective this does not work. You can build only a single peer relationship and set of Security Associations to a remote router.

 

Can you explain why this remote is trying to use two tunnels if it is the same source router and the same destination router? If it is because the remote actually has two different exit interfaces perhaps you could build two tunnels and do the crypto peering on a loopback interface of the remote router?

 

HTH

 

Rick

New Member

Thanks for the reply Rick,

Thanks for the reply Rick, but I don't think I explained it well enough.  There is a Host site and a DR site.  The remote site has a tunnel to each location.  I have about 50 sites setup this way but this one site I am having a problem with.  I am looking for some help trying to determine the problem with the configuration.  The configuration for the two tunnels looks the same (besides the different IP addresses)  however when I do a show crypto isakmp sa it shows the tunnel as MM_No_STATE

When I do a show crypto ipsec sa it has send errors.   A long time ago I remember finding a troubleshooting guide for this but I can't seem to find it anymore.

 

Thanks agin.

Hall of Fame Super Silver

Thanks for the clarification.

Thanks for the clarification. Clearly I did not correctly understand the environment. Do all 50 siltes have two tunnels or is it only this one? Can you post the config from the router having the problem (disguising public addresses etc)? Perhaps that will help us identify the problem.

 

HTH

 

Rick

New Member

Thanks for your help I

Thanks for your help I figured out today that the DSL modem provided by the vendor has a firewall feature turned on that was blocking the traffic.  After that was removed the tunnel came up fine.  

Hall of Fame Super Silver

I am glad that you have

I am glad that you have solved the issue. Thank you for posting back to the forum to let us know that it is solved and what the problem turned out to be.

 

HTH

 

Rick

New Member

configurationHost end that

configuration

Host end that isn't working

crypto isakmp key XXX address XXXX

crypto isakmp policy XXX
 hash md5
 authentication pre-share
 lifetime 86340

crypto map Stuff 10 ipsec-isakmp
  set peer Y.Y.Y.Y
 set transform-set overall
 match address overview

crypto ipsec transform-set overall esp-des esp-md5-hmac

 

interface Tunnel27
  ip address
 ip mtu 1350
 ip tcp adjust-mss 1294
 tunnel source
 tunnel destination
 crypto map XXX

 

 

ip access-list extended XXX
 permit gre host XXX host XXXX

 

 

 

Remote that isn't working:

crypto isakmp policy

hash md5
 authentication pre-share
crypto isakmp key XXX address XXx

crypto ipsec transform-set XXX esp-des esp-md5-hmac

 

crypto map XX 175 ipsec-isakmp
 set peer 
  set transform-set XXX
 match address 105

interface Tunnel0
  ip address 
 ip mtu 1350
 no ip route-cache cef
 ip tcp adjust-mss 1294
 tunnel source GigabitEthernet0/0
 tunnel destination 
 crypto map XXX

 

access-list 105 permit gre host xxx host

 

All of the other sites have this same configuration, for some reason this site doesn't work.  The ACL is getting hits so I know the requests are coming.  I have tried a couple debugs but not see anything specific.

 

 

 

 

 

 

 

 

Hall of Fame Super Silver

Thanks for the additional

Thanks for the additional information. There are several things that stand out to me as I review what you posted.

- first (and perhaps most important) the remote config that you post has only a single tunnel. I thought that you said that the remote has two tunnels.

- second (and sort of important) you show the crypto map as being applied on the tunnel interface on both routers. The standard for crypto map changed a long time ago to have the crypto map applied on the physical interface and not on the tunnel. Unless you are running really old code this is a problem.

 

HTH

 

Rick

New Member

When I said host end that isn

When I said host end that isn't working and remote end that isn't working I meant the tunnels so I didn't include the working tunnels.  Also I do have that command on the physical interface also I just didn't copy it in.

Hall of Fame Super Silver

You insist on obfuscating

You insist on obfuscating things that have no significance, such as the isakmp policy number and the crypto map name and the transform name. And you give us minute pieces of the config that you determine should be significant but not the other parts that might interact. I hope that you find someone else who believes that they can figure out the issue based on the very limited information you choose to supply. But I am done with this thread and your unwillingness to provide the significant information that might allow us to identify your problem.

 

HTH

 

Rick

319
Views
0
Helpful
9
Replies
CreatePlease to create content