Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
2
Replies

Cisco 7200 and blocked client initiated (MS) VPN

paul.webster
Level 1
Level 1

‎10-28-2001 01:46 AM - edited ‎02-21-2020 11:28 AM

My service provider has recently made some configuration changes within their network [to change route from them to backbone network] - following this ... my WinNT desktop to corporate VPN is failing.

I have traced frames at my end - and I can see that the first steps to the connection are made ... but the first back with GRE is returned almost immediately (ICMP destination unreachable). I guess that this is because GRE (protocol 47) is not enabled to pass through.

Given that this worked one week ago ... can someone tell me the commands I should ask the netowrk operator to run on their 7200 to determine if GRE is being blocked (I have scoured the web and guess that it is to do with Access Lists - but I have no access to CISCO documentation).

Is GRE blocked by default?

Is it possible that the old Access List enabled GRE to old network provider link and now that they have chage network provider ... they have lost the Permit GRE to the ISP address.

[the ICMP comes back in 0.0026 seconds - which is same time as PING to the 7200 and too fast for response from next downstream router at backbone ISP (0.005)

Paul Webster

Labels:
0 Helpful
2 Replies 2

swadwani
Level 1
Level 1

‎11-01-2001 04:03 PM

Try and have your SP do these.

sh interfaces tunnel (number of tunnel that the "tunnel mode gre ip" is configured)

check to see if the tunnel is not shutdown.

check to see if tunnel protocol gre/ip is up

Have them (your SP) try and ping the GRE tunnel endpoint (router within your

Corporate N/W)

Sunil Wadwani

Cisco TME

0 Helpful

paul.webster
Level 1
Level 1
In response to swadwani

‎11-07-2001 11:16 AM

The SP can ping my end point - a W2K server [I can ping and tracert through the 7200 to that end-point without problem].

A question though ... [SP not very responsive] ... I may have misunderstood, but is using Tunnel making a specific route available for this traffic rather than a generic config that allows GRE to get through? [this was working previously when my SP did not know my end-point details and would not have set up a specific targetted end-point]

Is it possible that the 7200 decides not to push the GRE through because it knows that my source address is NAT'd?

Paul

0 Helpful
Customers Also Viewed These Support Documents