Changing default route disconnecting GRE tunnels and VPN

[rpast]

Hello all,

I’ve currently got a series of GRE tunnels going between Cisco routers over Pix-terminated IPSEC VPNs. The GRE tunnels are there to enable EIGRP updates to pass, thereby allowing automatic failover of the VPNs to a secondary link. Those routers are inside the Pix firewalls. Everything is working OK (pre-failover testing) -- routing updates passing, etc. But all traffic, tunneled and not tunneled, is going over the same physical Internet link. What I’d like to do is to reroute traffic that is not going over the vpns to go over the secondary Internet link at each site instead. In other words, inside hosts browsing – and downloading from – the Internet should use the relatively dormant secondary failover link for that traffic, while the primary link is used for the mission-critical vpn to the other company facility.

To illustrate, three devices involved at each site – one Cisco 3640 on the inside, connected via Eth1 to PixA (primary link), and connected via Eth2 to PixB (secondary link). Each Pix connects to its own Internet link. For our purposes, PixB is dormant, and PixA is handling all Internet-bound traffic, tunneled or not. The 3640 has a default gateway of PixA inside interface (directly, and not through GRE tunnel). Inside hosts all have the 3640 as default gateway.

Working with just one remote site at the moment, I notice that I can enter a static route on the 3640 to a particular web site, and an inside host will be directed to that site via PixB (the secondary link), without a problem. However, when I take it a step further and change the default route on the 3640 to PixB (directly to PixB inside interface), the entire VPN to the central site comes down --neither PixA nor the 3640 can get to anything on the other side. I don’t know why this should be. Although I changed the default route, routing updates should still be advertised and sent over the primary GRE tunnel, using a specific source and destination address, connecting to the same PixA, going over the same primary link. In fact, the routing table looks exactly the same afterwards except for the changed default route. And ‘debug tunnel’ shows no errors. Also, on the Pix firewall, the vpn still shows as being intact. But all connectivity has been lost. It’s as though I need to enter some static routes on the 3640 to reinforce what EIGRP is providing.

Any suggestions would be appreciated.

 

[rpast]

...actually, 'debug tunnel' on the one router does show that the tunnels (active and inactive) are down. I'm going to try manually taking down the tunnel at the first router, and see if it comes back up.

 

[lgarner]

I did this once, but not currently. As I recall, I had to specify the EIGRP neighbor address since it wasn't truly "connected". Does your router know how to contact the neighbor when the default route changes?

 

[rpast]

Thanks for the response. It’s puzzling. When I removed the default route altogether on RouterB, RouterB’s route to RouterA via the tunnel address disappeared. When I added the new default route to RouterB, the tunnel route to RouterA came back up, and ‘debug tunnel’ showed that the tunnel was created. Throughout this time, Router A still had the route to Router B via the tunnel address. I reloaded RouterB, PixB, RouterA, and PixA – afterwards, the Pixes were reestablishing the VPN, but a ‘debug packet’ on the pixes showed unencapsulated lan to lan traffic (usually the only traffic that shows on the Pixes is between the GRE tunnel source and destination addresses). Debugging EIGRP on the routers showed that the neighbor was seen, but updates weren’t going across. I tried entering some static routes on the Pixes, as well as on the routers, as you suggested. Nothing I tried worked. Finally as I was running out of time, I put the original default route back on RouterB, and everything was fine – no reloads were necessary.
Questions that I cannot answer:
a) The Pix to Pix vpns are up – sending site-to-site traffic. On the router, a ‘debug tunnel’ output of “Tunnel0: GRE/IP encapsulated src -> dest…” seems to indicate an established tunnel. And yet I cannot ping the opposite tunnel interface or the tunnel destination addresses. Hopefully, there are other GRE debugging commands besides ‘debug tunnel’
b) Is there some other static route I need to enter on RouterB – or RouterA too – that right now is being covered by the default route going to the same device that is terminating the vpn? My hunch is that it is lan to lan traffic that is being dumped via the router default route, before the tunnel is up – because it is only lan to lan traffic and GRE src and dest address traffic that is being protected by the Pixes’ IPSEC vpn. Nothing else coming from the routers would ever get across the vpn.

Therefore, following up further on your suggestion, my next step wiil be to enter on RouterA the static route to the opposite tunnel address, as was done on RouterB, even though the Tunnel address subnet does show up as ‘Connected’. I’m also going to enter some static routes to the inside lans on the other side via the tunnel, thinking this might ‘jump start’ the tunnel.. Hopefully, I won’t have to wait till after hours again to work on this.

Thanks again for your suggestion. I’ll let you know how it works out.

 

[rpast]

OK. I just reread your response from Tuesday, lgarner. My apologies for being a fly-brain. I wasted a lot of time last night adding static routes …. Will try your suggestion tomorrow. Thanks again.

 

[rpast]

It does seem to be an EIGRP problem – I’m just unable to fix it. I’ve specified the EIGRP neighbor on both sides, but continue to get the messages below. In fact, now the tunnel won’t come up even with the old default address in there.

RouterA is sending Hellos to RouterB, but not receiving replies. RouterB is receiving Hellos from RouterA, and is also attempting EIGRP updates to RouterA. RouterB is also receiving RIP routes (configured as a test) over the tunnel from RouterA. (RouterA is receiving nothing) There is no connectivity. RouterA can ping its own Tunnel interface address. But RouterB cannot ping its own Tunnel interface address. (Oddly, I found this to be the case yesterday, even when things were working with the ‘old’ default route on RouterB.) Neither RoutetA nor RouterB can ping the other’s Tunnel ip address (same subnet)

Extraneous note that probably has no significance: The default route on RouterA is still going over its own primary link – because it is a hub for other GRE tunnels, and I’d rather not screw everyone up at one time. Splitting traffic at RouterA would be on the To Do list, if I ever get past this.

Cisco.com instructs to check Layers 1 and 2 in this situation. But other tunnels terminating on RouterA and going over PixA come right back up with a reload. And RouterB is receiving (non-functioning) RIP updates, and floating static routes are keeping us going while I figure this out. So it’s not physical

I’ve spent the whole day working on this – so now it’s time to whine.


On RouterB (where default route was changed):
Nov 12 23:45:19: EIGRP: Sending UPDATE on Tunnel0 nbr 192.168.50.1, retry 6, RTO 5000
Nov 12 23:45:19: AS 3, Flags 0x1, Seq 23/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-3
Nov 12 23:45:21: EIGRP: Sending HELLO on Tunnel0
Nov 12 23:45:21: AS 3, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 12 23:45:22: EIGRP: Received HELLO on Tunnel0 nbr 192.168.50.1
Nov 12 23:45:22: AS 3, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Nov 12 23:45:24: EIGRP: Sending UPDATE on Tunnel0 nbr 192.168.50.1, retry 7, RTO 5000
Nov 12 23:45:24: AS 3, Flags 0x1, Seq 23/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-3

On RouterA:
Nov 12 17:46:19 CDT: EIGRP: Sending HELLO on Tunnel0 nbr 192.168.50.2
Nov 12 17:46:19 CDT: AS 3, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0


RouterB#sh ip eigrp traff
IP-EIGRP Traffic Statistics for process 3
Hellos sent/received: 7754/7732
Updates sent/received: 3676/0
Queries sent/received: 0/0
Replies sent/received: 0/0
Acks sent/received: 0/0
Input queue high water mark 1, 0 drops


Thanks in advance, for any input that might help.

 

[rpast]

FYI, I ended up doing an end-around and implementing PBR to change the default route.