Cisco – Stuck at GRE troubleshooting with recursive route

ciscogreroutingtunnel

As with my last question, I am learning for my CCNA exam and currently I am bashing my head against the wall, while trying to solve "7.2.2.4 Troubleshooting GRE"

I'll explain the topology in a second. First let me document, which steps I have taken so far:

RA's Ip addresses on t0 and G0/0 were switched. I corrected them
RA's tunnel 0 interface had the wrong source and destination addresses. I set them to s:172.31.0.1 d: 192.168.1.1

Now, on RB theres this message:

 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
 %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 0 65E900C0 - looped chain attempting to stack
 %TUN-5-RECURDOWN: 0 temporarily disabled due to recursive routing

Topology:

GRE topology

Every IP address/network address as shown on the image is correct.

This is show interface tunnel 0 on RA:

Tunnel0 is up, line protocol is up (connected)
  Hardware is Tunnel
  Internet address is 192.168.1.1/30
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.31.0.1 (GigabitEthernet0/0), destination 192.168.1.2
  Tunnel protocol/transport GRE/IP

Show interface tunnel 0 on RB:

Tunnel0 is up, line protocol is up (connected)
  Hardware is Tunnel
  Internet address is 192.168.1.1/30
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.31.0.1 (GigabitEthernet0/0), destination 192.168.1.2
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled

Show ip route on RA:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.31.0.0/24 is directly connected, GigabitEthernet0/0
L       172.31.0.1/32 is directly connected, GigabitEthernet0/0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/30 is directly connected, Tunnel0
L       192.168.1.1/32 is directly connected, Tunnel0
     209.165.122.0/24 is variably subnetted, 2 subnets, 2 masks
C       209.165.122.0/30 is directly connected, Serial0/0/0
L       209.165.122.2/32 is directly connected, Serial0/0/0
S*   0.0.0.0/0 is directly connected, Serial0/0/0

Show ip route on RB:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       64.103.211.0/30 is directly connected, Serial0/0/0
L       64.103.211.2/32 is directly connected, Serial0/0/0
     172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.31.1.0/24 is directly connected, GigabitEthernet0/0
L       172.31.1.1/32 is directly connected, GigabitEthernet0/0
     192.168.1.0/32 is subnetted, 1 subnets
L       192.168.1.2/32 is directly connected, Tunnel0
S*   0.0.0.0/0 is directly connected, Serial0/0/0

Please help me understand this error by explaining what I am missing here and how to resolve this.

Kind regards.

**//EDIT: ** The task which needs to be fullfilled is that traffic from the 172.31.x.x networks on both sides needs to be tunneled.

//EDIT2: As it turns out Iw as talking Bullsh**. Here are the steps taken so far:

RA's Ip addresses on t0 and G0/0 were switched. I corrected them
RA's tunnel 0 interface had the wrong source and destination addresses. I set them to s:172.31.0.1 d: 192.168.1.1
Changed Source address of tunnel 0 on RA to 172.31.0.1
Changed Destination address of tunnel 0 on RB to 209.165.122.2
copy run start on RB and then reload
Tunnel 0 on RB is now up and connected.

//EDIT3:

I finally worked it out. I went back in my curriculum to an earlier task, which did guide me through the whole configuration task.

The source on both routers for the tunnel is the S0/0/0 interface and the destination is the other routers S0/0/0 interface IP address.
This is highly counter intuitive, since in my head I was under the impression, the source is the traffic form the local LANs (the 172 interfaces), since the traffic from there needs to be tunneled.

Just for good measure I added 2 static routes for both routers, to make sure the packets get routed this way in case OSPF / EIGRP or RIP think otherwise.

I have upvoted both answers, but accepted Ron's, since he answered first with a correct set up.

Best Answer

Serv,

Your tunnel source and destination addresses are wrong. They should be 209.165.122.2 and 64.103.211.2 on RA and the opposite on RB.

There are many different ways to explain this, but essentially, the route to the tunnel endpoint cannot be through the tunnel. In your case, in order to send a packet (from RA) to 192.168.1.2, RA has to encapsulate it in a GRE packet and then send it to the tunnel destination. But the route to the tunnel destination is through the tunnel itself. that is not allowed because you would be infinitely encapsulating the packet.

Another explanation (metaphor):

Think of a bridge being built across a river. the bridge engineers need to know where on each side of the river to put the bridge. Once they have built the bridge, you can route people to use the bridge to get to the other side. But that is separate from where the bridge has to be built.

The bridge (tunnel) is built from RA's s0/0/0 interface to RB s0/0/0. Once the tunnel is up, you can then route traffic from 172.31.x.x through the tunnel. In other words, building the tunnel is separate from routing traffic through the tunnel.

Related Solutions

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

You're right, you wouldn't really see the burstiness easily on SNMP. 1GE can send 1.48Mpps, so it takes very very little time to congest the the 45Mbps, which can handle less than 75kpps.

If your ingress is 1GE and egress is 45Mbps, then obviously the congestion point of 45Mbps will need to drop packets. This is normal and expected. If you increase buffers you'll introduce more delay.
1GE takes 0.45ms to send 40 1500B IP frames, which is right now the amount of burst you can handle. However dequeueing them on the 45Mbps already takes 10ms.

If you don't have any acute problem, I would probably not do anything about it. But if some traffic is more eligible for dropping than other, then you should replace FIFO with class-based queueing. Say maybe you want to prioritize so that more ftp is dropped and less voip.
Then it'll also make more sense to add more buffering on the ftp traffic, as it's not really sensitive to delay.

If you want to try your luck with deeper buffers, something like this should suffice:

policy-map WAN-OUT
 class class-default
    fair-queue
    queue-limit 200 packets
!
interface Serial1/0
  service-policy output WAN-OUT

This would cause 50ms buffers on the Serial1 and would allow you to handle up-to 2.25ms burst from single Gige interface.

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10