GRE request discarded

rmv72 · ‎09-14-2004

I've C1760 and PIX501E connected crossover cable.

C1760- FE0/0 - 192.168.16.4,L0-10.30.0.1

PIX501E - outside - 192.168.16.3, inside - 10.20.26.3, PC behind PIX - 10.20.26.4

-------------------------------------

From PC i try to ping 10.30.0.1 and get Request time out

at C1760 i see -

*Mar 1 19:51:36.287: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4

*Mar 1 19:51:37.401: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4

*Mar 1 19:51:38.402: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4

*Mar 1 19:51:39.404: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4

And in PIX log -

GRE reguest discarded from 192.168.16.4 to outside:192.168.16.3

=============================

C1760#sh crypto isakmp sa

dst src state conn-id slot

192.168.16.3 192.168.16.4 QM_IDLE 1 0

=============================

C1760#sh run

....

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key TEST address 192.168.16.3 no-xauth

!

crypto ipsec transform-set TUNNEL-TRANSFORM esp-des esp-md5-hmac

mode transport

!

crypto map VPN 1 ipsec-isakmp

set peer 192.168.16.3

set transform-set TUNNEL-TRANSFORM

match address 100

!

interface Tunnel0

ip address 10.30.0.1 255.255.255.0

tunnel source FastEthernet0/0

tunnel destination 192.168.16.3

crypto map VPN

!

interface FastEthernet0/0

ip address 192.168.16.4 255.255.255.0

speed auto

!

...

ip route 0.0.0.0 0.0.0.0 192.168.16.3

ip route 10.20.26.0 255.255.255.0 Tunnel0

....

!

access-list 100 permit ip any 10.20.26.0 0.0.0.255

access-list 100 permit gre any 10.20.26.0 0.0.0.255

!

===============================================

pixfirewall# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

192.168.16.3 192.168.16.4 QM_IDLE 0 1

------------------------------------------------

pixfirewall# sh run

access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 any

access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 any

access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0

.....

ip address outside 192.168.16.3 255.255.255.0

ip address inside 10.20.26.3 255.255.255.0

........

global (outside) 1 interface

nat (inside) 0 access-list vpn_outside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

.......

sysopt connection permit-ipsec

crypto ipsec transform-set MOSCOW_BRANCH esp-des esp-md5-hmac

crypto map MOSCOW 10 ipsec-isakmp

crypto map MOSCOW 10 match address outside_cryptomap_10

crypto map MOSCOW 10 set peer 192.168.16.4

crypto map MOSCOW 10 set transform-set MOSCOW_BRANCH

crypto map MOSCOW interface outside

isakmp enable outside

isakmp key ******** address 192.168.16.4 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

....

=============================================

Why i recived GRE request discarded t PIX? And how to resolve it?

a.awan · ‎09-15-2004

What are you trying to achieve with this configuration. You have configured a tunnel interface on the router and are trying to terminate the tunnel on the PIX. PIX does not support GRE tunnel termination. Are you trying to setup a VPN session between the 1760 and the PIX?

rmv72 · ‎09-15-2004

i'm trying to setup a VPN session between the 1760 and the PIX.

a.awan · ‎09-15-2004

Try using a configuration similar to the one provided in the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

If it does not work for you then post your configurations here.

rmv72 · ‎09-16-2004

Same problem. Here me configs->

======================

pixfirewall# sh run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 any

access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 any

access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list outside permit gre host 192.168.16.4 host 192.168.16.3

..

ip address outside 192.168.16.3 255.255.255.0

ip address inside 10.20.26.3 255.255.255.0

...

global (outside) 1 interface

nat (inside) 0 access-list vpn_outside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.16.4 1

....

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set MOSCOW_BRANCH esp-des esp-md5-hmac

crypto map MOSCOW 10 ipsec-isakmp

crypto map MOSCOW 10 match address outside_cryptomap_10

crypto map MOSCOW 10 set peer 192.168.16.4

crypto map MOSCOW 10 set transform-set MOSCOW_BRANCH

crypto map MOSCOW interface outside

isakmp enable outside

isakmp key ******** address 192.168.16.4 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 10.20.26.0 255.255.255.0 inside

telnet timeout 60

console timeout 0

terminal width 80

Cryptochecksum:1940e2a5626656be553467d585212646

: end

===========================

pixfirewall# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

192.168.16.3 192.168.16.4 QM_IDLE 0 1

===========================

pixfirewall#sh log

710006: GRE request discarded from 192.168.16.4 to outside:192.168.16.3

++++++++++++++++++++++++++++++++++++++

router#sh run

....

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key TEST address 192.168.16.3 no-xauth

!

crypto ipsec transform-set TUNNEL-TRANSFORM esp-des esp-md5-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer 192.168.16.3

set transform-set TUNNEL-TRANSFORM

match address 100

!

interface Loopback1

ip address 10.30.0.1 255.255.255.0

!

interface FastEthernet0/0

ip address 192.168.16.4 255.255.255.0

speed auto

crypto map VPN

!

interface Serial0/0

no ip address

shutdown

!

ip route 0.0.0.0 0.0.0.0 192.168.16.3

!

access-list 100 permit ip any 10.20.26.0 0.0.0.255

access-list 100 permit gre any 10.20.26.0 0.0.0.255

!

=========================

router#sh crypto isakmp sa

dst src state conn-id slot

192.168.16.3 192.168.16.4 QM_IDLE 1 0

===========================

a.awan · ‎09-16-2004

Why are your permitting GRE in your access-list? Have you posted your complete configs or did you leave something out?

If you explain what you are trying to achieve and what is not working then it will be easier to help you out.

rmv72 · ‎09-16-2004

I posted full config ( excluded unnessesary lines like snmp community and etc). I addes access-list with permitting GRE after found messages that GRE request discarded.

----------------------------------------------

I have 1760 with one FE interface and FXO interfaces. I want that phones connected to FXO port rings to CCM in central office trough VPN channel ( FE have public address). Now i test it with out connected phones. I want ping PC which placed behind PIX ( in LAN).

-----------------------------------------------

I don't understand why i recived that GRE request discarded.I have crypto map MOSCOW interface outside which permited GRE traffic from outside peer&