Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2469
Views
5
Helpful
5
Replies

Problem Pinging both sides of GRE tunnel

Go to solution
christopherboley
Level 1
Level 1

‎09-10-2016 01:09 PM - edited ‎03-08-2019 07:22 AM

Community. I'm scratching my head. I've put all details in a PDF attached. Basically I've got IPSEC B2B tunnel (working) I'm slipping a GRE tunnel through it and it's working (partially) I can ping on one side and not the other. At first I thought hey.. there's something routing related wrong with this but I can't find anything wrong routing related as the tunnel is showing up in the routing table of both routers as "connected". Not sure what's going on. Please find my attached PDF file.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahmedshoaib
Level 4
Level 4

‎09-10-2016 04:00 PM

Hi;

Just want to re-confirm as per diagram Lo0 on RemoteB & LOCALA having same ip address which is 192.168.2.217. while as per configuration it should be 192.168.2.218 at RemoteB.

While other tunnel configuration is simple and don't feel any issue.

I have a doubt on either ASA or Palo Alto firewall policy is blocking the traffic.

Thanks & Best regards;

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ahmedshoaib
Level 4
Level 4

‎09-10-2016 04:00 PM

Hi;

Just want to re-confirm as per diagram Lo0 on RemoteB & LOCALA having same ip address which is 192.168.2.217. while as per configuration it should be 192.168.2.218 at RemoteB.

While other tunnel configuration is simple and don't feel any issue.

I have a doubt on either ASA or Palo Alto firewall policy is blocking the traffic.

Thanks & Best regards;

0 Helpful

Go to solution
christopherboley
Level 1
Level 1
In response to ahmedshoaib

‎09-10-2016 05:06 PM

Yes ahmedshoaib thanks for pointing that out. You are correct I incorrectly labeled REMOTE B Lo0.

It shoud be as you say, 192.168.2.218. I fear the same. I have confirmed the Palo Alto is allowing traffic to and from. I have full visibility to verify the Palo. As for the ASA I don't have visibility and will have to work with the engineer on Monday to confirm our suspicion.

Thank you.

I'll report back on this issue as soon as I get more information as to the policy on the remote firewall.

Kind Regards,

CB

0 Helpful

Go to solution
christopherboley
Level 1
Level 1
In response to christopherboley

‎09-12-2016 02:58 PM

Greetings. I found out today though TAC that ASA's don't support GRE through the IPSEC tunnel.

In order to solve the need, I set up the ASA to do a 1:1 nat from a public IP to a loopback on the remote router. I set up a similar config on a router on the other side. Then created an ipsec protected tunnel between the two routers. Same effect. I just had to burn more public IP addresses to get it done. Thanks

You can call this one solved.

Go to solution
ahmedshoaib
Level 4
Level 4
In response to christopherboley

‎09-13-2016 12:25 AM

Hi;

Thanks this is good information to share with other member.

Best regards;

0 Helpful

Go to solution
christopherboley
Level 1
Level 1
In response to ahmedshoaib

‎09-11-2016 08:03 AM

After researching this a and doing some extensive reading I believe that possibly the IPSEC transform set is in "Default tunnel" mode on the ASA side and not in "transport" mode which I see seems to be necessary to transport GRE over ipsec with an ASA firewall. I'll confirm on monday.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card