GRE Tunnel configuration issues? Is that even possible? HAVE I LOST MY MIND???

ande0255ande0255 Banned Posts: 1,178
I am somehow having issues with configuring a simple GRE tunnel, and wanted input from the TE experts in this forum.

So I have the basic NBMA running OSPF between R1 / R2 / R3 on 172.12.123.0 /24 network (R1 = .1, R2 = .2, etc)

So on R1:

int tunnel1
ip add 10.1.1.1 255.255.255.252
tunnel source 172.12.123.1
tunnel dest 172.12.123.3

On R3:

int tunnel1
ip add 10.1.1.3 255.255.255.252
tunnel source 172.12.123.3
tunnel dest 172.12.123.1

I am able to ping and traceroute just fine to between R1's networks and R3's, however the traceroute shows it is not taking the tunnel, and I am wondering if there is a behavior that might cause this to happen or if I am misinterpreting the several videos I've watched on this setup?

Every explanation is as easy as above, I am wondering if my configs are incorrect or if it requires static IP addresses? I've watched several youtube videos, reviewed cisco support forums that show that should be the correct config but I cannot get it working and it is driving me mad :)

Any input appreciated!

Comments

  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    Need the output of Show IP interface brief on all three routers. Butter yet all three routers configurations. You IP scheme does not work for your routers the why your are showing it.

    "So I have the basic NBMA running OSPF between R1 / R2 / R3 on 172.12.123.0 /24 network (R1 = .1, R2 = .2, etc)
    So on R1:

    int tunnel1
    ip add 10.1.1.1 255.255.255.252
    tunnel source 172.12.123.1
    tunnel dest 172.12.123.3

    On R3:

    int tunnel1
    ip add 10.1.1.3 255.255.255.252
    tunnel source 172.12.123.3
    tunnel dest 172.12.123.1"
  • ande0255ande0255 Banned Posts: 1,178


    This was the original idea, as I've had success building an IPSec tunnel over a similar topology, though I tried R3 because there no is no redistribution / route-tagging involved (so a tunnel is not shown in my crappy Topology from R1 to R3), and still got the same results.

    Here is the output from R1 / R2 / R3 (I have added two tunnel interfaces at this point on R1 to create point to point tunnels to R2 and R3:

    R1


    R1#sh run
    Building configuration...

    Current configuration : 2648 bytes
    !
    ! Last configuration change at 06:44:59 UTC Sat Apr 29 2017
    !
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$yVi1$SQ5NqI28RILEABWBtclSc0
    !
    no aaa new-model
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    no ipv6 cef
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    license udi pid CISCO1841 sn FTX1210Z0AE
    !
    !
    !
    !
    !
    !
    interface Loopback1
    ip address 1.1.1.1 255.255.255.255
    !
    interface Loopback11
    ip address 11.1.1.1 255.255.255.0
    !
    interface Loopback101
    ip address 100.1.0.1 255.255.0.0
    !
    interface Loopback102
    ip address 100.2.0.1 255.255.0.0
    !
    interface Loopback103
    ip address 100.3.0.1 255.255.0.0
    !
    interface Loopback104
    ip address 100.4.0.1 255.255.0.0
    !
    interface Loopback105
    ip address 100.5.0.1 255.255.0.0
    !
    interface Loopback106
    ip address 100.6.0.1 255.255.0.0
    !
    interface Loopback107
    ip address 100.7.0.1 255.255.0.0
    !
    interface Tunnel1
    ip address 10.1.1.1 255.255.255.252
    tunnel source 172.12.123.1
    tunnel destination 172.12.123.2
    !
    interface Tunnel2
    ip address 10.1.1.5 255.255.255.252
    tunnel source 172.12.123.1
    tunnel destination 172.12.123.3

    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 172.12.15.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    ip address 172.12.123.1 255.255.255.0
    encapsulation frame-relay
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 CCNP
    frame-relay map ip 172.12.123.3 123 broadcast
    frame-relay map ip 172.12.123.2 122 broadcast
    no frame-relay inverse-arp
    frame-relay lmi-type cisco
    !
    interface Serial0/0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    router ospf 1
    log-adjacency-changes
    area 100 range 100.0.0.0 255.248.0.0
    network 1.1.1.1 0.0.0.0 area 1
    network 11.1.1.0 0.0.0.255 area 0
    network 100.1.0.0 0.0.255.255 area 100
    network 100.2.0.0 0.0.255.255 area 100
    network 100.3.0.0 0.0.255.255 area 100
    network 100.4.0.0 0.0.255.255 area 100
    network 100.5.0.0 0.0.255.255 area 100
    network 100.6.0.0 0.0.255.255 area 100
    network 100.7.0.0 0.0.255.255 area 100
    network 172.12.15.0 0.0.0.255 area 15
    network 172.12.123.0 0.0.0.255 area 0
    neighbor 172.12.123.2
    neighbor 172.12.123.3
    default-information originate always
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    password CCNP
    logging synchronous
    login
    transport input all
    !
    scheduler allocate 20000 1000
    end

    R1#


    R2

    R2#sh run
    Building configuration...

    Current configuration : 2099 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$3s2u$dmZAt64T7v6LHrqqmY8GN0
    !
    no aaa new-model
    !
    resource policy
    !
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel1
    ip address 10.1.1.2 255.255.255.252
    tunnel source 172.12.123.2
    tunnel destination 172.12.123.1

    !
    interface Loopback2
    ip address 2.2.2.2 255.255.255.255
    !
    interface Loopback22
    ip address 22.2.2.2 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 172.12.23.2 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/0
    ip address 172.12.123.2 255.255.255.0
    encapsulation frame-relay
    ip ospf message-digest-key 1 md5 CCNP
    ip ospf priority 0
    frame-relay map ip 172.12.123.3 221
    frame-relay map ip 172.12.123.1 221 broadcast
    no frame-relay inverse-arp
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Serial0/1
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    area 0 authentication message-digest
    redistribute rip metric-type 1 subnets route-map RIP2OSPF
    network 2.2.2.2 0.0.0.0 area 2
    network 22.2.2.0 0.0.0.255 area 0
    network 172.12.123.0 0.0.0.255 area 0
    !
    router rip
    version 2
    redistribute ospf 1 metric 1 route-map OSPF2RIP
    network 172.12.0.0
    no auto-summary
    !
    !
    !
    ip http server
    no ip http secure-server
    !
    !
    !
    !
    route-map RIP2OSPF deny 10
    match tag 110
    !
    route-map RIP2OSPF permit 20
    set tag 120
    !
    route-map RIP2OSPF permit 30
    !
    route-map OSPF2RIP deny 10
    match tag 120
    !
    route-map OSPF2RIP permit 20
    set tag 110
    !
    route-map OSPF2RIP permit 30
    !
    !
    !
    control-plane
    !
    !
    !
    !
    R2#

    R3

    R3#sh run
    Building configuration...

    Current configuration : 1815 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$SXwL$OaxGz0gO9kDYvJd7nr3Qn.
    !
    no aaa new-model
    !
    resource policy
    !
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    controller T1 0/0
    framing sf
    linecode ami
    !
    controller T1 0/1
    framing sf
    linecode ami
    !
    !
    !
    !
    !
    !
    interface Tunnel2
    ip address 10.1.1.6 255.255.255.252
    tunnel source 172.12.123.3
    tunnel destination 172.12.123.1

    !
    interface Loopback3
    ip address 3.3.3.3 255.255.255.255
    !
    interface Loopback33
    ip address 33.3.3.3 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 172.12.23.3 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 172.12.34.3 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/2
    ip address 172.12.123.3 255.255.255.0
    encapsulation frame-relay
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 CCNP
    ip ospf priority 0
    frame-relay map ip 172.12.123.1 321 broadcast
    frame-relay map ip 172.12.123.2 321
    no frame-relay inverse-arp
    !
    interface Serial0/3
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    network 3.3.3.3 0.0.0.0 area 3
    network 33.3.3.0 0.0.0.255 area 0
    network 172.12.34.0 0.0.0.255 area 34
    network 172.12.123.0 0.0.0.255 area 0
    distribute-list 2 in
    !
    router rip
    version 2
    network 172.12.0.0
    no auto-summary
    !
    !
    !
    ip http server
    no ip http secure-server
    !
    access-list 2 deny 2.2.2.2
    access-list 2 permit any
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    password CCNP
    logging synchronous
    login
    !
    !
    end

    R3#


    I've created different tunnel interfaces for R1-R2 and R1-R3 in case for some reason R2's redistribution was goofing something up, however it is not represented in my crappy Paint Topology of what is going on.

    Thank you for reviewing to anyone with input, this topic seems so easy I cannot believe how hard I'm struggling with it, in most of the explanations I saw mentions of using static routes and am wondering if using a dynamic routing protocol is my issue?

    Everything has Layer 3 connectivity via ping, however I cannot get a traceroute to hop over that tunnel rather than across the NBMA router interfaces.

    Any ideas are appreciated, I'd just like to know the practical real-world application of this setup more than for ROUTE, however it of course applies to ROUTE inherently.

    Again, big thanks to anyone with an ideas!
  • ande0255ande0255 Banned Posts: 1,178
    So I passed out in my recliner as per usual on Friday nights, and I woke up thinking I used mGRE in DMVPN so I looked at those notes, but the underlay address is just as posted above along with the Overlay being the 10.x network.

    So after a ton of debugging and googling, it seems the issue was a recursive route lookup, which is fixed by keeping your GRE tunnels separate from your dynamic routing protocols cited here:

    https://supportforums.cisco.com/document/27496/tunnel-interface-down-due-recursive-routing-user-receives-tun-recurdown-interface

    I tried removing the networks from OSPF and making static routes, I tried adding the Overlay addresses to the destination Area in router configuration, I am seeing all these debug hits but it is not showing a single hop over a tunnel:


    R2(config)#
    *Mar 30 23:40:16.133: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
    R2(config)#
    R2(config)#
    *Mar 30 23:40:26.134: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
    R2(config)#
    *Mar 30 23:40:36.134: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
    R2(config)#
    *Mar 30 23:40:46.135: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
    R2(config)#
    ASR#1
    [Resuming connection 1 to r1 ... ]

    *Apr 29 11:21:51.671: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=100)
    *Apr 29 11:21:51.671: Tunnel1 count tx, adding 0 encap bytes
    R1(config-router)#
    *Apr 29 11:21:58.827: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=124)
    *Apr 29 11:21:58.827: Tunnel1 count tx, adding 0 encap bytes
    R1(config-router)#
    *Apr 29 11:24:46.995: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=124)
    *Apr 29 11:24:46.995: Tunnel1 count tx, adding 0 encap bytes
    R1(config-router)#
    *Apr 29 11:24:48.999: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=124)
    *Apr 29 11:24:49.003: Tunnel1 count tx, adding 0 encap bytes
    R1(config-router)#
    *Apr 29 11:24:50.483: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=100)

    I am struggling so hard to understand this, it seems like no matter what I do, it will appear to work but the traceroute shows it hops through the WAN and not over a tunnel.

    So far I've changed source int to the 172.12.15.0 /24 interface on R1 and the 172.12.23.0 /24 network on R2, put their virtual network numbers in OSPF, removed the Areas from OSPF and tried static routes, the best I've gotten so far is the above output where it doesn't throw a recursive lookup error.

    This sucks :\

    Tried to be clever and try this but it obviously fails per the output:


    R1(config)#ip route 172.12.23.0 255.255.255.0 10.1.1.2
    R1(config)#
    *Apr 29 11:29:53.683: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=100)
    *Apr 29 11:29:53.683: Tunnel1 count tx, adding 0 encap bytes
    R1(config)#
    ASR#2
    [Resuming connection 2 to r2 ... ]


    R2(config)#ip route 172.12.15.0 255.255.255.0 10.1.1.1
    R2(config)#
    *Mar 30 23:46:24.261: Tunnel1: 1-level recursive routing detected
    R2(config)#
    *Mar 30 23:46:24.261: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
    *Mar 30 23:46:25.262: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    You need to filter the remote side so it not to included in the routing. Not sure where you are using the static routes but you don't need them for the tunnel. If you have this in packet tracer put a link to it from Dropbox or GDrive.
  • ande0255ande0255 Banned Posts: 1,178
    How do you mean you shouldn't need static routes?

    I actually took a step back and did a "wr er" on all routers to start fresh, and using the same topology above, only did tunnel configs between R2 and R3.

    Once I put in a static route like on R2 for example "ip route 172.12.34.0 255.255.255.0 tu0" and did a traceroute I got this:

    R2#traceroute 172.12.34.3

    Type escape sequence to abort.
    Tracing the route to 172.12.34.3

    1 10.1.1.3 104 msec * 92 msec


    So I am happy to even get that far with this using plain old GRE as there is a lot of non-trainer led material out there for it, but it doesn't make a lot of sense most of the time.

    If you have some way for OSPF routes to take Tunnel0 interface I'd appreciate the knowledge, right now I just want to familarize myself with how GRE over IPSec works for my job and the sake of knowledge more than for ROUTE, and it has burned up most of my weekend researching the topic of GRE among other things.
  • ande0255ande0255 Banned Posts: 1,178
    I got this figured out, after a weekend of research and missing the details because I have been so mentally exhausted from life, then trying to grind on some studying into the AM.

    I realize now why a distribute-list is key if the route / network is needed to propagate the route to other routers in the network, I was initially going about configuring this completely wrong at first, as I was doing the entire GRE setup (which is okay) but then an entire IPSec setup (which will introduce issues) and trying to marry those two together.

    Also my static routing was wrong, the exit interface shouldn't have been the tunnel interface itself, but the remote peers GRE tunnel IP's so like "ip route 172.12.34.0 255.255.255.0 10.1.1.2" - But it wouldn't have mattered because the config was already messed up from too much IPSec config to make it work correctly.

    Lots of lessons learned on this one, glad I decided to tackle it, and barely kept in there through to the end - Thank you for your help!
  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    Great that you got it fixed.
Sign In or Register to comment.