Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
2
Replies

GRE tunnel issue after NAT

bensonlei
Level 1
Level 1

‎10-31-2019 02:34 AM - edited ‎10-31-2019 02:43 AM

Hi guy,

A GRE tunnel can be easily set up between two L3 devices(which means the tunnel source is "tunnel source 100.67.97.200" in the following configuration, GRE tunnel is working properly ). However, after a NAT device is added into the network, the GRE tunnel can not be established, the debug message as below:


Scenario :
L3 device01 (GRE tunnel) -----NAT firewall ----L3 Device02 ( GRE tunnel ) ( SW-c37Right#)


Configuration:
1. 101.36.48.200 = IP of the Device01
2. 100.67.97.200 = IP of the NAT Firewall ( for WAN NATing )
3. 10.83.2.254 = LAN IP of the Device02 ( for LAN NATing )
4. The NAT firewall has only default policy, and permit any any


SW-c37Right#
interface Tunnel3
ip address 10.10.23.6 255.255.255.252
keepalive 5
tunnel source 10.83.2.254
tunnel destination 101.36.48.200
tunnel path-mtu-discovery
end



SW-c37Right#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan20 10.83.2.254 YES NVRAM up up
..........
Tunnel3 10.10.23.6 YES NVRAM up down


SW-c37Right#sh int tun3
Tunnel3 is up, line protocol is down
Hardware is Tunnel
Internet address is 10.10.23.6/30
MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (5 sec), retries 3
Tunnel source 10.83.2.254, destination 101.36.48.200
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1476 bytes
Last input 00:54:25, output 00:00:04, output hang never
Last clearing of "show interface" counters 00:04:14
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
51 packets output, 2448 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
SW-c37Right#


SW-c37Right#
*Mar 2 00:04:41.715: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:42.705: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:43.703: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:43.795: Tunnel3: GRE/IP encapsulated 10.83.2.254->101.36.48.200 (linktype=7, len=48)
*Mar 2 00:04:43.795: Tunnel3 count tx, adding 24 encap bytes
*Mar 2 00:04:44.693: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:45.699: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:46.689: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:47.696: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:48.677: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:48.803: Tunnel3: GRE/IP encapsulated 10.83.2.254->101.36.48.200 (linktype=7, len=48)
*Mar 2 00:04:48.803: Tunnel3 count tx, adding 24 encap bytes
*Mar 2 00:04:49.684: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:50.674: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:51.664: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:52.662: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:53.660: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:53.811: Tunnel3: GRE/IP encapsulated 10.83.2.254->101.36.48.200 (linktype=7, len=48)
*Mar 2 00:04:53.811: Tunnel3 count tx, adding 24 encap bytes
*Mar 2 00:04:54.659: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:55.657: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:56.647: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:57.645: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:58.651: Tunnel3: GRE/IP (PS) to decaps 101.36.48.200->10.83.2.254 (tbl=0,"default" len=80 ttl=61)
*Mar 2 00:04:58.819: Tunnel3: GRE/IP encapsulated 10.83.2.254->101.36.48.200 (linktype=7, len=48)
*Mar 2 00:04:58.819: Tunnel3 count tx, adding 24 encap bytes


Any hint/suggestion from the debug messages, thx ?

0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-31-2019 03:20 AM

Hello,

 

basically, you need to exclude traffic from being translated that goes through the tunnel (usually LAN to LAN traffic). Post the full configs of both sides, or have a look at the document linked below:

 

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/9221-quicktip.html#diag

0 Helpful

bensonlei
Level 1
Level 1
In response to Georg Pauwen

‎10-31-2019 07:33 PM

Hi, Georg,

 

Thanks for your information,

 

We found the Firewall has issue on GRE protocol go-through.

 

Many thanks

 

0 Helpful
Customers Also Viewed These Support Documents