GRE Tunnel configuration issues? Is that even possible? HAVE I LOST MY MIND???

I am somehow having issues with configuring a simple GRE tunnel, and wanted input from the TE experts in this forum.

So I have the basic NBMA running OSPF between R1 / R2 / R3 on 172.12.123.0 /24 network (R1 = .1, R2 = .2, etc)

So on R1:

int tunnel1
ip add 10.1.1.1 255.255.255.252
tunnel source 172.12.123.1
tunnel dest 172.12.123.3

On R3:

int tunnel1
ip add 10.1.1.3 255.255.255.252
tunnel source 172.12.123.3
tunnel dest 172.12.123.1

I am able to ping and traceroute just fine to between R1's networks and R3's, however the traceroute shows it is not taking the tunnel, and I am wondering if there is a behavior that might cause this to happen or if I am misinterpreting the several videos I've watched on this setup?

Every explanation is as easy as above, I am wondering if my configs are incorrect or if it requires static IP addresses? I've watched several youtube videos, reviewed cisco support forums that show that should be the correct config but I cannot get it working and it is driving me mad

Any input appreciated!

Find more posts tagged with

Comments

DCD

Need the output of Show IP interface brief on all three routers. Butter yet all three routers configurations. You IP scheme does not work for your routers the why your are showing it.

"So I have the basic NBMA running OSPF between R1 / R2 / R3 on 172.12.123.0 /24 network (R1 = .1, R2 = .2, etc)
So on R1:

int tunnel1
ip add 10.1.1.1 255.255.255.252
tunnel source 172.12.123.1
tunnel dest 172.12.123.3

On R3:

int tunnel1
ip add 10.1.1.3 255.255.255.252
tunnel source 172.12.123.3
tunnel dest 172.12.123.1"

ande0255

This was the original idea, as I've had success building an IPSec tunnel over a similar topology, though I tried R3 because there no is no redistribution / route-tagging involved (so a tunnel is not shown in my crappy Topology from R1 to R3), and still got the same results.

Here is the output from R1 / R2 / R3 (I have added two tunnel interfaces at this point on R1 to create point to point tunnels to R2 and R3:

R1

R1#sh run
Building configuration...

Current configuration : 2648 bytes
!
! Last configuration change at 06:44:59 UTC Sat Apr 29 2017
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$yVi1$SQ5NqI28RILEABWBtclSc0
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO1841 sn FTX1210Z0AE
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback11
ip address 11.1.1.1 255.255.255.0
!
interface Loopback101
ip address 100.1.0.1 255.255.0.0
!
interface Loopback102
ip address 100.2.0.1 255.255.0.0
!
interface Loopback103
ip address 100.3.0.1 255.255.0.0
!
interface Loopback104
ip address 100.4.0.1 255.255.0.0
!
interface Loopback105
ip address 100.5.0.1 255.255.0.0
!
interface Loopback106
ip address 100.6.0.1 255.255.0.0
!
interface Loopback107
ip address 100.7.0.1 255.255.0.0
!
interface Tunnel1
ip address 10.1.1.1 255.255.255.252
tunnel source 172.12.123.1
tunnel destination 172.12.123.2
!
interface Tunnel2
ip address 10.1.1.5 255.255.255.252
tunnel source 172.12.123.1
tunnel destination 172.12.123.3
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.12.15.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.12.123.1 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNP
frame-relay map ip 172.12.123.3 123 broadcast
frame-relay map ip 172.12.123.2 122 broadcast
no frame-relay inverse-arp
frame-relay lmi-type cisco
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router ospf 1
log-adjacency-changes
area 100 range 100.0.0.0 255.248.0.0
network 1.1.1.1 0.0.0.0 area 1
network 11.1.1.0 0.0.0.255 area 0
network 100.1.0.0 0.0.255.255 area 100
network 100.2.0.0 0.0.255.255 area 100
network 100.3.0.0 0.0.255.255 area 100
network 100.4.0.0 0.0.255.255 area 100
network 100.5.0.0 0.0.255.255 area 100
network 100.6.0.0 0.0.255.255 area 100
network 100.7.0.0 0.0.255.255 area 100
network 172.12.15.0 0.0.0.255 area 15
network 172.12.123.0 0.0.0.255 area 0
neighbor 172.12.123.2
neighbor 172.12.123.3
default-information originate always
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password CCNP
logging synchronous
login
transport input all
!
scheduler allocate 20000 1000
end

R1#

R2

R2#sh run
Building configuration...

Current configuration : 2099 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$3s2u$dmZAt64T7v6LHrqqmY8GN0
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip address 10.1.1.2 255.255.255.252
tunnel source 172.12.123.2
tunnel destination 172.12.123.1
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
ip address 22.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 172.12.23.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 172.12.123.2 255.255.255.0
encapsulation frame-relay
ip ospf message-digest-key 1 md5 CCNP
ip ospf priority 0
frame-relay map ip 172.12.123.3 221
frame-relay map ip 172.12.123.1 221 broadcast
no frame-relay inverse-arp
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
redistribute rip metric-type 1 subnets route-map RIP2OSPF
network 2.2.2.2 0.0.0.0 area 2
network 22.2.2.0 0.0.0.255 area 0
network 172.12.123.0 0.0.0.255 area 0
!
router rip
version 2
redistribute ospf 1 metric 1 route-map OSPF2RIP
network 172.12.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
!
!
!
route-map RIP2OSPF deny 10
match tag 110
!
route-map RIP2OSPF permit 20
set tag 120
!
route-map RIP2OSPF permit 30
!
route-map OSPF2RIP deny 10
match tag 120
!
route-map OSPF2RIP permit 20
set tag 110
!
route-map OSPF2RIP permit 30
!
!
!
control-plane
!
!
!
!
R2#

R3

R3#sh run
Building configuration...

Current configuration : 1815 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$SXwL$OaxGz0gO9kDYvJd7nr3Qn.
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 0/0
framing sf
linecode ami
!
controller T1 0/1
framing sf
linecode ami
!
!
!
!
!
!
interface Tunnel2
ip address 10.1.1.6 255.255.255.252
tunnel source 172.12.123.3
tunnel destination 172.12.123.1
!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface Loopback33
ip address 33.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 172.12.23.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.12.34.3 255.255.255.0
duplex auto
speed auto
!
interface Serial0/2
ip address 172.12.123.3 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNP
ip ospf priority 0
frame-relay map ip 172.12.123.1 321 broadcast
frame-relay map ip 172.12.123.2 321
no frame-relay inverse-arp
!
interface Serial0/3
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 3
network 33.3.3.0 0.0.0.255 area 0
network 172.12.34.0 0.0.0.255 area 34
network 172.12.123.0 0.0.0.255 area 0
distribute-list 2 in
!
router rip
version 2
network 172.12.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
access-list 2 deny 2.2.2.2
access-list 2 permit any
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password CCNP
logging synchronous
login
!
!
end

R3#

I've created different tunnel interfaces for R1-R2 and R1-R3 in case for some reason R2's redistribution was goofing something up, however it is not represented in my crappy Paint Topology of what is going on.

Thank you for reviewing to anyone with input, this topic seems so easy I cannot believe how hard I'm struggling with it, in most of the explanations I saw mentions of using static routes and am wondering if using a dynamic routing protocol is my issue?

Everything has Layer 3 connectivity via ping, however I cannot get a traceroute to hop over that tunnel rather than across the NBMA router interfaces.

Any ideas are appreciated, I'd just like to know the practical real-world application of this setup more than for ROUTE, however it of course applies to ROUTE inherently.

Again, big thanks to anyone with an ideas!

OSPF_GRE_Over_IPSec.jpg

ande0255

So I passed out in my recliner as per usual on Friday nights, and I woke up thinking I used mGRE in DMVPN so I looked at those notes, but the underlay address is just as posted above along with the Overlay being the 10.x network.

So after a ton of debugging and googling, it seems the issue was a recursive route lookup, which is fixed by keeping your GRE tunnels separate from your dynamic routing protocols cited here:

https://supportforums.cisco.com/document/27496/tunnel-interface-down-due-recursive-routing-user-receives-tun-recurdown-interface

I tried removing the networks from OSPF and making static routes, I tried adding the Overlay addresses to the destination Area in router configuration, I am seeing all these debug hits but it is not showing a single hop over a tunnel:

R2(config)#
*Mar 30 23:40:16.133: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
R2(config)#
R2(config)#
*Mar 30 23:40:26.134: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
R2(config)#
*Mar 30 23:40:36.134: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
R2(config)#
*Mar 30 23:40:46.135: Tunnel1: GRE/IP encapsulated 172.12.23.2->172.12.15.1 (linktype=7, len=100)
R2(config)#
ASR#1
[Resuming connection 1 to r1 ... ]

*Apr 29 11:21:51.671: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=100)
*Apr 29 11:21:51.671: Tunnel1 count tx, adding 0 encap bytes
R1(config-router)#
*Apr 29 11:21:58.827: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=124)
*Apr 29 11:21:58.827: Tunnel1 count tx, adding 0 encap bytes
R1(config-router)#
*Apr 29 11:24:46.995: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=124)
*Apr 29 11:24:46.995: Tunnel1 count tx, adding 0 encap bytes
R1(config-router)#
*Apr 29 11:24:48.999: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=124)
*Apr 29 11:24:49.003: Tunnel1 count tx, adding 0 encap bytes
R1(config-router)#
*Apr 29 11:24:50.483: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=100)

I am struggling so hard to understand this, it seems like no matter what I do, it will appear to work but the traceroute shows it hops through the WAN and not over a tunnel.

So far I've changed source int to the 172.12.15.0 /24 interface on R1 and the 172.12.23.0 /24 network on R2, put their virtual network numbers in OSPF, removed the Areas from OSPF and tried static routes, the best I've gotten so far is the above output where it doesn't throw a recursive lookup error.

This sucks $:\$

Tried to be clever and try this but it obviously fails per the output:

R1(config)#ip route 172.12.23.0 255.255.255.0 10.1.1.2
R1(config)#
*Apr 29 11:29:53.683: Tunnel1: GRE/IP encapsulated 172.12.15.1->172.12.123.2 (linktype=7, len=100)
*Apr 29 11:29:53.683: Tunnel1 count tx, adding 0 encap bytes
R1(config)#
ASR#2
[Resuming connection 2 to r2 ... ]

R2(config)#ip route 172.12.15.0 255.255.255.0 10.1.1.1
R2(config)#
*Mar 30 23:46:24.261: Tunnel1: 1-level recursive routing detected
R2(config)#
*Mar 30 23:46:24.261: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
*Mar 30 23:46:25.262: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down

DCD

You need to filter the remote side so it not to included in the routing. Not sure where you are using the static routes but you don't need them for the tunnel. If you have this in packet tracer put a link to it from Dropbox or GDrive.

ande0255

How do you mean you shouldn't need static routes?

I actually took a step back and did a "wr er" on all routers to start fresh, and using the same topology above, only did tunnel configs between R2 and R3.

Once I put in a static route like on R2 for example "ip route 172.12.34.0 255.255.255.0 tu0" and did a traceroute I got this:

R2#traceroute 172.12.34.3

Type escape sequence to abort.
Tracing the route to 172.12.34.3

1 10.1.1.3 104 msec * 92 msec

So I am happy to even get that far with this using plain old GRE as there is a lot of non-trainer led material out there for it, but it doesn't make a lot of sense most of the time.

If you have some way for OSPF routes to take Tunnel0 interface I'd appreciate the knowledge, right now I just want to familarize myself with how GRE over IPSec works for my job and the sake of knowledge more than for ROUTE, and it has burned up most of my weekend researching the topic of GRE among other things.

ande0255

I got this figured out, after a weekend of research and missing the details because I have been so mentally exhausted from life, then trying to grind on some studying into the AM.

I realize now why a distribute-list is key if the route / network is needed to propagate the route to other routers in the network, I was initially going about configuring this completely wrong at first, as I was doing the entire GRE setup (which is okay) but then an entire IPSec setup (which will introduce issues) and trying to marry those two together.

Also my static routing was wrong, the exit interface shouldn't have been the tunnel interface itself, but the remote peers GRE tunnel IP's so like "ip route 172.12.34.0 255.255.255.0 10.1.1.2" - But it wouldn't have mattered because the config was already messed up from too much IPSec config to make it work correctly.

Lots of lessons learned on this one, glad I decided to tackle it, and barely kept in there through to the end - Thank you for your help!

DCD

Great that you got it fixed.