Solved: GRE Tunnels over Comcast network

goochland · ‎11-29-2010

Trying to do GRE tunneling over the Comcast network. Have Cisco Catalyst 3560's at each end. Can get the tunnel to work if switches are cabled "back-to-back" but cannot get it to work over the Comcast network.

Anyone have any suggestions?

Thanks, Jim

Richard Burts · ‎11-29-2010

Jim

The information that you have posted is quite complete and shows us a lot about the problem. I have looked at the config and it looks fine to me. I do not see config problems. And the fact that the tunnel works when the switches are configured back to back confirms that this is really not a config problem.

I do have a couple of observations and suggestions:

- the interface tunnel line protocol is down and this is one of the symptoms. I suspect that this is because of the configuration of tunnel keepalives. If you remove the tunnel keepalives from both switches I suspect that the line protocol will come up.

- but I do not predict that this would solve the underlying problem. I suspect that the underlying problem is a lack of connectivity through the tunnel.

- I suspect that something is blocking traffic between the switches. If you are sure that there is not something between the switches and the Comcast network, then I suspect that Comcast is blocking the traffic.

- do you have the ability to capture packets (configure a span session to copy all traffic in and out of the outbound interface)? This would probably be the most direct way to test whether the GRE traffic from one switch is getting to the other switch.

HTH

Rick

HTH

Rick

View solution in original post

Robert Taylor · ‎11-29-2010

When connected on the comcast network, do you have a firewall between them anywhere?

Can you ping between the tunnel source / tunnel destination address? Are you using public addresses for the tunnel source/destination (must be or it wont work).

Configs would be helpful for a quick sanity check.

goochland · ‎11-29-2010

No, no firewall, and yes, ping does work using the public IP addresses.

My manager has posted the configs you asked for.

Thanks!

ErickBCCNA · ‎11-29-2010

Try using tunnel mode ipip to change how the tunnel does the encapsulation. Most service providers don't care if it's an IP packet crossing the network. Your service provider may be filtering protocol number 47 in the transit path of your tunnel end points.

goochland · ‎11-29-2010

Below is the output from both endpoints

Sh run

Ping

Sh int t0

Sh ver

Thanks!

-----------------------------------------------------------------

Test_Switch1#sh run

Building configuration...

Current configuration : 3659 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime msec

no service password-encryption

!

hostname Test_Switch1

!

boot-start-marker

boot-end-marker

!

logging buffered 8192

!

no aaa new-model

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

ip routing

ip domain-name co.goochland.va.us

!

crypto pki trustpoint TP-self-signed-2893532800

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2893532800

revocation-check none

rsakeypair TP-self-signed-2893532800

!

crypto pki certificate chain TP-self-signed-2893532800

certificate self-signed 01

30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

Blah blah

quit

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface Tunnel0

ip address 192.168.10.1 255.255.255.252

ip mtu 1440

ip tcp adjust-mss 1400

keepalive 5

cdp enable

tunnel source 64.139.79.113

tunnel destination 64.139.79.66

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

no switchport

ip address 64.139.79.113 255.255.255.240

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 64.139.79.126

ip route 64.139.79.66 255.255.255.255 64.139.79.126

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

!

alias exec sib sh ip int br

alias exec sr sh run int

!

line con 0

login local

line vty 0 4

login local

line vty 5 15

login

!

end

-----------------------------------------------------------------------Ping

Test_Switch1#ping 64.139.79.66

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 64.139.79.66, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/25 ms

-------------------------------------------------------------------------------sh int t0

Test_Switch1#sh int t0

Tunnel0 is up, line protocol is down

Hardware is Tunnel

Internet address is 192.168.10.1/30

MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive set (5 sec), retries 3

Tunnel source 64.139.79.113, destination 64.139.79.66

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Last input never, output 00:00:03, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

988 packets output, 51430 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

-----------------------------------------------------------------------sh ver

Test_Switch1#sh ver

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE1, RELEASE SOFTWARE (fc2)

ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Test_Switch1 uptime is 1 hour, 22 minutes

System returned to ROM by power-on

System image file is "flash:/c3560-ipservicesk9-mz.122-53.SE1.bin"

cisco WS-C3560-24PS (PowerPC405) processor (revision S0) with 131072K bytes of memory.

Processor board ID FDO1242X56J

Last reset from power-on

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:23:AC:77:CE:80

Motherboard assembly number : 73-9673-11

Power supply part number : 341-0029-05

Motherboard serial number : FDO12420KPG

Power supply serial number : DTN12384425

Model revision number : S0

Motherboard revision number : A0

Model number : WS-C3560-24PS-E

System serial number : FDO1242X56J

Top Assembly Part Number : 800-26380-05

Top Assembly Revision Number : C0

Version ID : V07

CLEI Code Number : COMUZ10ARA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C3560-24PS 12.2(53)SE1 C3560-IPSERVICESK9-M

Configuration register is 0xF

End of Test_Switch1#

------------------------------------------------------------------sh run ---------------------

Test_Switch2#sh run

Building configuration...

Current configuration : 3657 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime msec

no service password-encryption

!

hostname Test_Switch2

!

boot-start-marker

boot-end-marker

!

logging buffered 8192

!

username

!

no aaa new-model

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

ip routing

ip domain-name co.goochland.va.us

!

crypto pki trustpoint TP-self-signed-2897481600

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2897481600

revocation-check none

rsakeypair TP-self-signed-2897481600

!

crypto pki certificate chain TP-self-signed-2897481600

certificate self-signed 01

30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

Blah blah

quit

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface Tunnel0

ip address 192.168.10.2 255.255.255.252

ip mtu 1440

ip tcp adjust-mss 1400

keepalive 5

cdp enable

tunnel source 64.139.79.66

tunnel destination 64.139.79.113

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

no switchport

ip address 64.139.79.66 255.255.255.240

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 64.139.79.78

ip route 64.139.79.113 255.255.255.255 64.139.79.78

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

!

alias exec sib sh ip int br

alias exec sr sh run int

!

line con 0

login local

line vty 0 4

login local

line vty 5 15

login

!

end

-----------------------------------------------------------------------------ping

Test_Switch2#ping 64.139.79.113

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 64.139.79.113, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms

--------------------------------------------------------------------------------sh int t0

Test_Switch2#sh int t0

Tunnel0 is up, line protocol is down

Hardware is Tunnel

Internet address is 192.168.10.2/30

MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive set (5 sec), retries 3

Tunnel source 64.139.79.66, destination 64.139.79.113

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Last input never, output 00:00:04, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

982 packets output, 51142 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

------------------------------------------------------------------------sh ver

Test_Switch2#sh ver

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Fri 12-Mar-10 16:54 by prod_rel_team

Image text-base: 0x01000000, data-base: 0x02E00000

ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Test_Switch2 uptime is 1 hour, 21 minutes

System returned to ROM by power-on

System image file is "flash:c3560-ipservicesk9-mz.122-53.SE1.bin"

cisco WS-C3560-24PS (PowerPC405) processor (revision S0) with 131072K bytes of memory.

Processor board ID FDO1242X557

Last reset from power-on

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:23:AC:B4:0F:80

Motherboard assembly number : 73-9673-11

Power supply part number : 341-0029-05

Motherboard serial number : FDO12420NL4

Power supply serial number : DTN1238446L

Model revision number : S0

Motherboard revision number : A0

Model number : WS-C3560-24PS-E

System serial number : FDO1242X557

Top Assembly Part Number : 800-26380-05

Top Assembly Revision Number : C0

Version ID : V07

CLEI Code Number : COMUZ10ARA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C3560-24PS 12.2(53)SE1 C3560-IPSERVICESK9-M

Configuration register is 0xF

End of Test_Switch2#

Richard Burts · ‎11-29-2010

Jim

The information that you have posted is quite complete and shows us a lot about the problem. I have looked at the config and it looks fine to me. I do not see config problems. And the fact that the tunnel works when the switches are configured back to back confirms that this is really not a config problem.

I do have a couple of observations and suggestions:

- the interface tunnel line protocol is down and this is one of the symptoms. I suspect that this is because of the configuration of tunnel keepalives. If you remove the tunnel keepalives from both switches I suspect that the line protocol will come up.

- but I do not predict that this would solve the underlying problem. I suspect that the underlying problem is a lack of connectivity through the tunnel.

- I suspect that something is blocking traffic between the switches. If you are sure that there is not something between the switches and the Comcast network, then I suspect that Comcast is blocking the traffic.

- do you have the ability to capture packets (configure a span session to copy all traffic in and out of the outbound interface)? This would probably be the most direct way to test whether the GRE traffic from one switch is getting to the other switch.

HTH

Rick

HTH

Rick

goochland · ‎11-30-2010

The problem has been resolved. It was a combination of your suggestion about changing the "keep-alive" parameter, and rebooting the Comcast modems.

Thanks so much to those who assisted.

Jim

Richard Burts · ‎11-30-2010

Jim

I am glad that you got it resolved. Thank you for marking this issue as resolved (and thanks for the points). It makes the forum more useful when people can read about an issue and can know that they will see the solution to the issue. Your marking contributes to this.

HTH

Rick

HTH

Rick