Troubleshooting Steps
You can run the debug tunnel command to troubleshoot the GRE tunnel issue. It is strongly recommended to ensure that you can build up the GRE tunnel over IP before you turn on IPsec for the GRE tunnel. While working with GRE over IPsec, remember the following points:
-
If you are running an IOS version earlier than 12.2(13)T, you need to apply the crypto map on both the tunnel interfaces and the physical interfaces to correctly invoke switching paths to achieve IPsec. Beginning with IOS Version 12.2(13)T, or 12.3 and later, the configured IPsec crypto map needs to be applied to the physical interface only, and is no longer required to be applied on the GRE tunnel interface. You can still apply the crypto map on both physical and tunnel interfaces, but it is strongly recommended to apply the crypto map on the physical interface only.
-
Specify GRE traffic as IPsec interesting traffic. On the Dhaka router, the interesting traffic for the GRE traffic should be defined with the following access-list:
Dhaka(config)# access-list 101 permit gre host 20.1.1.1 host 30.1.1.1
Make sure that the source and destination addresses are the source and destination addresses of the GRE tunnel interface. In this case, the source is 20.1.1.1, which is the actual physical interface IP address. The destination address is the remote peer IP address, which is 30.1.1.1.
-
Static or Dynamic routing protocol needs to be configured for the remote private network pointing to the tunnel interface as next hop. GRE tunnel should be encrypted by the IPsec tunnel.
-
Take appropriate precautions to avoid the recursive routing problem. Otherwise, the tunnel interface will flap (going up and down). This situation arises, when based on the routing table, the router sends the GRE packets to its own interface instead of sending them to the physical interface. The message you get on the router is as follows:
Tunnel0 temporarily disabled due to recursive routing.
Keep the following list in mind to avoid the recursive routing loop:
-
- Use different routing protocols or separate routing protocol identifiers for GRE traffic and actual traffic.
-
- Keep tunnel IP address and actual IP network address ranges distinct.
-
- For the tunnel interface IP address, don't use unnumbered to loopback interface when the loopback's IP address resides in the ISP address space.
-
- Use static routes for the end point of GRE tunnel interfaces.
-
- Use route filtering so that the router does not point to the tunnel interface for its own routes.
-