Site to site VTI interface keep flapping

ahmad82pkn · ‎04-10-2014

I implemented VTI first time between two Cisco router.

But problem is that it keeps flapping without any obvious reason, when its down, i can ping Public IP of both ends. but Private IP of tunnel dont get ping (since its in down state)

any idea how to find out the reason for this.

configuration is pretty much copy paste from Cisco site.

interface Tunnel12521

ip address 192.168.90.5 255.255.255.252
tunnel source 196.2.2.173
tunnel destination 38.1.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile SNG-HAMP-VTI-PROFILE
end

crypto ipsec profile SNG-HAMP-VTI-PROFILE
set transform-set SNG-HAMP-TRANS-VTI
!

crypto ipsec transform-set SNG-HAMP-TRANS-VTI esp-3des esp-sha-hmac

crypto isakmp policy 200
encr 3des
authentication pre-share
group 2
crypto isakmp key 3! address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10

any idea?

Apr 10 11:31:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 12:28:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 12:28:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 13:26:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 13:28:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 14:23:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 14:24:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 15:21:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 15:21:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 16:19:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 16:21:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 17:17:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 17:18:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down
Apr 10 18:16:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to up
Apr 10 18:17:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12521, changed state to down

pgasparovic · ‎04-21-2015

Haha, I can't believe this stuff ppl were "discussing" (desperate monologs :-) 5 years, 1 years (yours) ago, as I need to solve the same thing these days :-). Honestly, I never had this before (was successful with VTI), but simply some thing reappears just for fun, seems so..

As I have a paid contract with Cisco, hopefully I will be lucky with some wise guy on hotline to get an explanation to this plus other things, to mirror result it here.

PS1: Learnt that "keepalive" in tunnel interface is of no effect, just for GRE tunnel (google confirms).

PS2: I don't have a clue, even suspice a "invalid-spi" command to not work like it should (whoever knowledgable about it thanks for optional comment here).

erkanbal35 · ‎06-22-2016

Hi,

We observed with same problem? Have you any suggestion?

Richard Burts · ‎06-22-2016

The protocol status of the VTI tunnel depends on the negotiation of the crypto sessions. So I would suggest starting with debug crypto isakmp. Look to see whether the ISAKMP sessions are failing and being renegotiated.

HTH

Rick

HTH

Rick