DC Analog Operations Troubleshooting. CVCV18 Spreadsheet. This spreadsheet can be used to establish long addresses for DCC operation. This document describes the DCC Functions for protosound 3. MRC Prodigy Advance. Programming The Digitrax Zephyr System. Programming The Lenz Set System. Electronic Folk International.
Jazz Latin New Age. Aggressive Bittersweet Druggy. Energetic Happy Hypnotic. Romantic Sad Sentimental. Sexy Trippy All Moods. Drinking Hanging Out In Love. Introspection Late Night Partying. Rainy Day Relaxation Road Trip. Romantic Evening Sex All Themes. Articles Features Interviews Lists. Streams Videos All Posts. My Profile. Advanced Search. Routes Not Roots Review by K.
In order to better understand how the tunnel keepalive mechanism works, consider this example tunnel topology and configuration: Router A interface loopback 0 ip address With the assumption that there is a way to reach the far end tunnel endpoint and the tunnel line protocol is not down due to other reasons, the packet arrives on Router B.
It is then matched against Tunnel 0, becomes decapsulated, and is forwarded to the destination IP which is the tunnel source IP address on Router A. This signifies that this is a keepalive packet. The tunnel keepalive counter is then reset to 0 and the packet is discarded. Sample debugs from Router A: debug tunnel keepalive Tunnel keepalive debugging is on RPF packet drops can be observed in the show ip traffic output as follows: Router show ip traffic section Drop Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency 0 no route, unicast RPF , 0 forced drop 0 options denied As a result, the initiator of the tunnel keepalives will bring down the tunnel due to missed keepalives return packets.
When a crypto map is used, it is applied to the outbound physical interface s for the GRE tunnel packets. In this case, the sequence of steps is as follows: Encrypted packet reaches the physical interface. Packet is decrypted and forwarded to the tunnel interface. Packet is decapsulated and then forwarded to the IP destination in clear text. The other way is to use tunnel protection. When tunnel protection is used, it is configured on the GRE tunnel interface.
In this case, the sequence of steps is as follows: Encrypted packet reaches physical interface. Packet is forwarded to the tunnel interface. Packet is decrypted and decapsulated and then forwarded to the IP destination in clear text. There are two key differences between when you use a crypto map and when you use tunnel protection: The IPsec crypto map is tied to the physical interface and is checked as packets are forwarded out the physical interface.
Tunnel protection ties the encryption functionality to the GRE tunnel and is checked after the packet is GRE encapsulated but before the packet is handed to the physical interface. Peer A has crypto map configured on the physical interface while Peer B has tunnel protection configured on the tunnel interface.
Both Peers have tunnel protection configured on the tunnel interface. Peer B uses Crypto Maps. Keepalives are enabled on Peer B. IPsec encryption is done in tunnel mode. In this scenario, since the GRE keepalives are configured on Peer B, the sequence events when a keepalive is generated are as follows: Peer B generates a keepalive packet which is GRE encapsulated and then forwarded to the phyiscal interface where it is encrypted and sent on to the tunnel destination, Peer A.
That means on Peer A, the packet is immediately routed back out the physical interface to Peer B. Since Peer A uses tunnel protection on the tunnel interface , the keepalive packet is not encrypted.
Peer B now recieves a GRE keepalive response which is not encrypted on its physical interface, but because of the crypto map configured on the physical interface, it expects an encrypted packet and so drops it.
Peer B uses Tunnel Protection. In this scenario, since the GRE keepalives are onfigured on Peer B, the sequence events when a keepalive is generated are as follows: Peer B generates a keepalive packet which is GRE encapsulated and then encrypted by the tunnel protection on the tunnel interface and then forwarded to the physical interface. Since Peer A uses crypto maps on the physical interface , it will first encrypt this packet before it forwards it on.
Result: Keepalives enabled on Peer B succesfully determine what the tunnel state should be based on the availabilty of the tunnel destination. Since this type of configuration is mostly used in hub-and-spoke setups and because in such setups it is more important for the spoke to be aware of the hub's reachability, the solution is to use a dynamic crypto map on the hub Peer A and tunnel protection on the spoke Peer B and enable GRE keepalives on the spoke.
This way, although the GRE tunnel interface on the hub remains up, the routing neighbor and the routes through the tunnel are lost and the alternate route can be established. On the spoke, the fact that the tunnel interface went down can trigger it to bring up a dialer interface and call back to the hub or another router at the hub , then establish a new connection. Use something other than GRE keepalives in order to determine peer reachability.
If both routers are configured with tunnel protection, then GRE tunnel keeaplives cannot be used in either direction. In this case, the only option is to use the routing protocol or other mechanism, such as the Service Assurance Agent, in order to discover if the peer is reachable or not. Use crypto maps on Peer A and Peer B.
0コメント