GRE Tunnel not functioning..

Mark Mattix · ‎02-22-2012

My topology is the following:

PC---R1---ISP(router)---R2---Switch---PC

I can sucessfully ping throughout the whole network but GRE tunneling does not seem to work. I was practicing IPsec VPNs before this which is why there are crypto configs that aren't applied. I removed them just to test out GRE. After configuring GRE and running a debug I get this message...

Feb 22 16:30:07.123: Tunnel0: GRE/IP to classify 202.170.100.33->202.170.100.30

(len=64 type=0x800 ttl=253 tos=0x0)

*Feb 22 16:30:07.123: Tunnel0: adjacency fixup, 202.170.100.30->202.170.100.33,

tos=0x0

*Feb 22 16:30:07.123: Tunnel0: adjacency fixup, 202.170.100.30->202.170.100.33,

tos=0x0

*Feb 22 16:30:07.123: Tunnel0: GRE/IP to classify 202.170.100.33->202.170.100.30

(len=64 type=0x800 ttl=253 tos=0x0)

When I turn on Keepalive and run a debug is seems like GRE is working successfully because debug shows encapsulating and decapsulaing messages, but only on the keepalives and not when pinging or transferring data using an FTP.

Here are my configs for R1 and R2.

R1 Config...

version 12.4

crypto isakmp policy 101

encr aes

authentication pre-share

group 5

crypto isakmp key ciscovpnpass address 202.170.100.30

!

crypto ipsec transform-set PSO esp-aes esp-sha-hmac

!

crypto map R1-to-R2 101 ipsec-isakmp

set peer 202.170.100.30

set transform-set PSO

match address 101

!

interface Tunnel0

ip address 10.1.1.2 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 202.170.100.30

!

interface GigabitEthernet0/0

description Link to R1

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Link to ISP

ip address 202.170.100.33 255.255.255.252

duplex auto

speed auto

!

interface Serial0/2/0

no ip address

shutdown

!

router ospf 10

log-adjacency-changes

network 192.168.1.0 0.0.0.255 area 0

network 202.170.100.32 0.0.0.3 area 0

!

ip classless

ip route 192.168.2.0 255.255.255.0 10.1.1.1

!

ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

----------

R2 Config...

version 12.4

!

crypto isakmp policy 101

encr aes

authentication pre-share

group 5

crypto isakmp key ciscovpnpass address 202.170.100.33

!

crypto ipsec transform-set PSO esp-aes esp-sha-hmac

!

crypto map R2-to-R1 101 ipsec-isakmp

! Incomplete

set peer 202.170.100.33

set transform-set PSO

match address 101

!

interface Tunnel0

ip address 10.1.1.1 255.255.255.252

tunnel source FastEthernet0/0

tunnel destination 202.170.100.33

!

interface FastEthernet0/0

ip address 202.170.100.30 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

!

router ospf 10

log-adjacency-changes

network 192.168.2.0 0.0.0.255 area 0

network 202.170.100.28 0.0.0.3 area 0

!

!ip route 192.168.1.0 255.255.255.0 10.1.1.2

Edison Ortiz · ‎02-22-2012

please post the output from show interface tunnel0 and show ip route from both routers

your ISP may be blocking the GRE packet hence causing the tunnel NOT to come up.

Mark Mattix · ‎02-22-2012

Hi Edison, thanks for your help. I'm sorry, I should have stated that this is entirely a lab enviornment. ISP is just the name of the router. Here is the output of what you requested,

R1#show int tunnel0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 10.1.1.2/30

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 202.170.100.33, destination 202.170.100.30

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 01:08:04, output 01:23:47, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1050 packets input, 74315 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

758 packets output, 59758 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Gateway of last resort is not set

202.170.100.0/30 is subnetted, 2 subnets

O 202.170.100.28

[110/2] via 202.170.100.34, 00:05:23, GigabitEthernet0/1

C 202.170.100.32 is directly connected, GigabitEthernet0/1

10.0.0.0/30 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Tunnel0

C 192.168.1.0/24 is directly connected, GigabitEthernet0/0

S 192.168.2.0/24 [1/0] via 10.1.1.1

-------------------------------------------------------

R2#show int tunnel0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 10.1.1.1/30

MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 202.170.100.30, destination 202.170.100.33

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 00:00:23, output 00:00:23, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

739 packets input, 57918 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1092 packets output, 77289 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Gateway of last resort is not set

202.170.100.0/30 is subnetted, 2 subnets

C 202.170.100.28 is directly connected, FastEthernet0/0

O 202.170.100.32 [110/2] via 202.170.100.29, 00:04:17, FastEthernet0/0

10.0.0.0/30 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Tunnel0

S 192.168.1.0/24 [1/0] via 10.1.1.2

C 192.168.2.0/24 is directly connected, FastEthernet0/1

Mark Mattix · ‎02-22-2012

using the command, debug tunnel on R2 and pinging from 192.168.2.1 on the router interface (by using the extended ping option to specify the interface) to 192.168.1.1 (R1 router interface) it shows,

Feb 22 20:10:59.446: Tunnel0: GRE/IP to classify 202.170.100.33->202.170.100.30

(len=124 type=0x800 ttl=253 tos=0x0)

*Feb 22 20:10:59.446: Tunnel0: GRE/IP encapsulated 202.170.100.30->202.170.100.3

3 (linktype=7, len=124)

This leads me to believe that it encapsulated the packet in GRE successfully, would I be correct about that?

Now when I ping from PC to PC I see this from debug tunnel,

*Feb 22 20:11:53.238: Tunnel0: GRE/IP to classify 202.170.100.33->202.170.100.30

(len=84 type=0x800 ttl=253 tos=0x0)

R2#

*Feb 22 20:11:54.226: Tunnel0: adjacency fixup, 202.170.100.30->202.170.100.33,

tos=0x0

I don't know what to think of this output but I assume it did not successfully encapsulate in GRE.

Mark Mattix · ‎02-23-2012

Well a CCNP I know has informed me that the GRE tunnel is working. I'm not sure why I'm getting the

adjacency fixup mesage but I believe it could have someone to do with OSPF. I did disable OSPF and applied static routes and got the same error so I'm not 100% certain. I would like to view the packets to ensure they're being encalsulated but the "monitor capture" command is not available in my IOS.

Edison Ortiz · ‎02-23-2012

You won't be able to see transit traffic (traffic not originated by the router) via a debug unless you enable process-switching on the interfaces (not recommended).

Your GRE tunnel is working per the output you've provided.

Regards,

Edison