11-29-2010 10:12 AM - edited 03-04-2019 10:36 AM
Trying to do GRE tunneling over the Comcast network. Have Cisco Catalyst 3560's at each end. Can get the tunnel to work if switches are cabled "back-to-back" but cannot get it to work over the Comcast network.
Anyone have any suggestions?
Thanks, Jim
Solved! Go to Solution.
11-29-2010 02:00 PM
Jim
The information that you have posted is quite complete and shows us a lot about the problem. I have looked at the config and it looks fine to me. I do not see config problems. And the fact that the tunnel works when the switches are configured back to back confirms that this is really not a config problem.
I do have a couple of observations and suggestions:
- the interface tunnel line protocol is down and this is one of the symptoms. I suspect that this is because of the configuration of tunnel keepalives. If you remove the tunnel keepalives from both switches I suspect that the line protocol will come up.
- but I do not predict that this would solve the underlying problem. I suspect that the underlying problem is a lack of connectivity through the tunnel.
- I suspect that something is blocking traffic between the switches. If you are sure that there is not something between the switches and the Comcast network, then I suspect that Comcast is blocking the traffic.
- do you have the ability to capture packets (configure a span session to copy all traffic in and out of the outbound interface)? This would probably be the most direct way to test whether the GRE traffic from one switch is getting to the other switch.
HTH
Rick
11-29-2010 12:44 PM
When connected on the comcast network, do you have a firewall between them anywhere?
Can you ping between the tunnel source / tunnel destination address? Are you using public addresses for the tunnel source/destination (must be or it wont work).
Configs would be helpful for a quick sanity check.
11-29-2010 01:12 PM
No, no firewall, and yes, ping does work using the public IP addresses.
My manager has posted the configs you asked for.
Thanks!
11-29-2010 12:45 PM
Try using tunnel mode ipip to change how the tunnel does the encapsulation. Most service providers don't care if it's an IP packet crossing the network. Your service provider may be filtering protocol number 47 in the transit path of your tunnel end points.
11-29-2010 01:08 PM
Below is the output from both endpoints
Sh run
Ping
Sh int t0
Sh ver
Thanks!
-----------------------------------------------------------------
Test_Switch1#sh run
Building configuration...
Current configuration : 3659 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname Test_Switch1
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
!
!
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip domain-name co.goochland.va.us
!
!
!
!
crypto pki trustpoint TP-self-signed-2893532800
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2893532800
revocation-check none
rsakeypair TP-self-signed-2893532800
!
!
crypto pki certificate chain TP-self-signed-2893532800
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
Blah blah
quit
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.252
ip mtu 1440
ip tcp adjust-mss 1400
keepalive 5
cdp enable
tunnel source 64.139.79.113
tunnel destination 64.139.79.66
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
no switchport
ip address 64.139.79.113 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.139.79.126
ip route 64.139.79.66 255.255.255.255 64.139.79.126
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
!
!
alias exec sib sh ip int br
alias exec sr sh run int
!
line con 0
login local
line vty 0 4
login local
line vty 5 15
login
!
end
-----------------------------------------------------------------------Ping
Test_Switch1#ping 64.139.79.66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.139.79.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/25 ms
-------------------------------------------------------------------------------sh int t0
Test_Switch1#sh int t0
Tunnel0 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.10.1/30
MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (5 sec), retries 3
Tunnel source 64.139.79.113, destination 64.139.79.66
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Last input never, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
988 packets output, 51430 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
-----------------------------------------------------------------------sh ver
Test_Switch1#sh ver
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE1, RELEASE SOFTWARE (fc2)
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Test_Switch1 uptime is 1 hour, 22 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-ipservicesk9-mz.122-53.SE1.bin"
cisco WS-C3560-24PS (PowerPC405) processor (revision S0) with 131072K bytes of memory.
Processor board ID FDO1242X56J
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:23:AC:77:CE:80
Motherboard assembly number : 73-9673-11
Power supply part number : 341-0029-05
Motherboard serial number : FDO12420KPG
Power supply serial number : DTN12384425
Model revision number : S0
Motherboard revision number : A0
Model number : WS-C3560-24PS-E
System serial number : FDO1242X56J
Top Assembly Part Number : 800-26380-05
Top Assembly Revision Number : C0
Version ID : V07
CLEI Code Number : COMUZ10ARA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3560-24PS 12.2(53)SE1 C3560-IPSERVICESK9-M
Configuration register is 0xF
End of Test_Switch1#
------------------------------------------------------------------sh run ---------------------
Test_Switch2#sh run
Building configuration...
Current configuration : 3657 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname Test_Switch2
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
!
username
!
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip domain-name co.goochland.va.us
!
!
!
!
crypto pki trustpoint TP-self-signed-2897481600
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2897481600
revocation-check none
rsakeypair TP-self-signed-2897481600
!
!
crypto pki certificate chain TP-self-signed-2897481600
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
Blah blah
quit
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.252
ip mtu 1440
ip tcp adjust-mss 1400
keepalive 5
cdp enable
tunnel source 64.139.79.66
tunnel destination 64.139.79.113
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
no switchport
ip address 64.139.79.66 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.139.79.78
ip route 64.139.79.113 255.255.255.255 64.139.79.78
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
!
!
alias exec sib sh ip int br
alias exec sr sh run int
!
line con 0
login local
line vty 0 4
login local
line vty 5 15
login
!
end
-----------------------------------------------------------------------------ping
Test_Switch2#ping 64.139.79.113
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.139.79.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms
--------------------------------------------------------------------------------sh int t0
Test_Switch2#sh int t0
Tunnel0 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.10.2/30
MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (5 sec), retries 3
Tunnel source 64.139.79.66, destination 64.139.79.113
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Last input never, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
982 packets output, 51142 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
------------------------------------------------------------------------sh ver
Test_Switch2#sh ver
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 12-Mar-10 16:54 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02E00000
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Test_Switch2 uptime is 1 hour, 21 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipservicesk9-mz.122-53.SE1.bin"
cisco WS-C3560-24PS (PowerPC405) processor (revision S0) with 131072K bytes of memory.
Processor board ID FDO1242X557
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:23:AC:B4:0F:80
Motherboard assembly number : 73-9673-11
Power supply part number : 341-0029-05
Motherboard serial number : FDO12420NL4
Power supply serial number : DTN1238446L
Model revision number : S0
Motherboard revision number : A0
Model number : WS-C3560-24PS-E
System serial number : FDO1242X557
Top Assembly Part Number : 800-26380-05
Top Assembly Revision Number : C0
Version ID : V07
CLEI Code Number : COMUZ10ARA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3560-24PS 12.2(53)SE1 C3560-IPSERVICESK9-M
Configuration register is 0xF
End of Test_Switch2#
11-29-2010 02:00 PM
Jim
The information that you have posted is quite complete and shows us a lot about the problem. I have looked at the config and it looks fine to me. I do not see config problems. And the fact that the tunnel works when the switches are configured back to back confirms that this is really not a config problem.
I do have a couple of observations and suggestions:
- the interface tunnel line protocol is down and this is one of the symptoms. I suspect that this is because of the configuration of tunnel keepalives. If you remove the tunnel keepalives from both switches I suspect that the line protocol will come up.
- but I do not predict that this would solve the underlying problem. I suspect that the underlying problem is a lack of connectivity through the tunnel.
- I suspect that something is blocking traffic between the switches. If you are sure that there is not something between the switches and the Comcast network, then I suspect that Comcast is blocking the traffic.
- do you have the ability to capture packets (configure a span session to copy all traffic in and out of the outbound interface)? This would probably be the most direct way to test whether the GRE traffic from one switch is getting to the other switch.
HTH
Rick
11-30-2010 04:27 AM
The problem has been resolved. It was a combination of your suggestion about changing the "keep-alive" parameter, and rebooting the Comcast modems.
Thanks so much to those who assisted.
Jim
11-30-2010 07:15 AM
Jim
I am glad that you got it resolved. Thank you for marking this issue as resolved (and thanks for the points). It makes the forum more useful when people can read about an issue and can know that they will see the solution to the issue. Your marking contributes to this.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide