03-30-2016 04:36 AM - edited 03-05-2019 03:40 AM
HI All,
I have configured a GRE over IPSEC tunnel. IPSec tunnel is configured on internet firewall and GRE tunnel is configured on internal router. My IPsec tunnel is working fine, but when i enable keep-alive on gre tunnel interface, then tunnel goes down. I am able to ping the remote side gre tunnel destination 192.168.185.5
Please find the attached logs
Need your help to resolve this issue.
Thanks,
Suman
03-30-2016 10:56 AM
Assuming lookback0 has IP 192.168.185.6 assigned?
How do you route to 192.168.185.5? Do you have a static route to the firewall (that will be the proper way of doing it).
03-30-2016 08:10 PM
Yes 192.168.185.6 is already assigned to loopback IP
I have added a static route on router towards firewall and i am able to see tcp keepalive packets in firewall in both direction, but unfortunately tunnel is not coming up.
I don't see any issue from firewall side. I would like to confirm, if there is any bug or any configuration issue on router related to GRE.
03-31-2016 09:01 PM
Before you configure GRE keeplive, it just seems ok as the GRE tunnel is up, how can you prove the GRE tunnel is ok? you should send some traffic over this GRE tunnel, if successful, then you can prove the GRE tunnel works as expected, ping gre tunnel destination IP address does not make sense here, as this ICMP echo request is not over GRE tunnel, you should ping the IP address behind the remote GRE tunnel to make sure ICMP message exactly sent over GRE tunnel.
After you configure GRE keeplive, the GRE tunnel is down, it is clear the GRE keeplive message was discarded somewhere! Even you can ping, it just can prove the gre source and destination route is ok, so I suspect GRE packet is blocked somewhere before and after you set GRE keeplive. so I suggest you remove the GRE keeplive and test GRE tunnel works good by passing traffic over it. At least you can narrow down the trooubleshooting scope.
03-31-2016 12:08 AM
If both routers are configured with tunnel protection then GRE tunnel keeaplives cannot be used in either direction. You can refer the following document.
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/64565-gre-tunnel-keepalive.pdf
03-31-2016 12:29 AM
tunnel protection is not enabled.
03-31-2016 01:38 AM
Are you allowing the protocols through the firewall and routers , 47 , 500 , 50 & 51 ?
without these the tunnel will not form , is your IPsec up oin router side and tunnel down or both down ?
03-31-2016 02:26 AM
IPSec is already UP which is created on firewall and GRE tunnel is created on inside router.
We just need to allow GRE traffic in firewall, however i have also checked with ANY service, but no luck
03-31-2016 03:33 AM
Have you tried change the src of tunnel to physical interface or ip address just incase its having issues forming over logical interface
you said you can ping to far side , can you ping back no issues from ASA side , can you ping from a src of your loopback as well
04-01-2016 01:44 AM
I tried whatever suggested by you, but it's not working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide