Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

GRE Tunnel on Juniper not working

Jump to Best Answer
This thread has been viewed 6 times
  • 1.  GRE Tunnel on Juniper not working

    Posted 10-08-2013 11:57

    Hi,

    I have created a tunnel from a remote server to a server in our network and while the tunnel looks good on juniper, traffic is not flowing through.

     

    Details:

    On the remote Linux server, I created a standard GRE tunnel and routed some IPs. This tunnel works and I can see traffic coming in/passing through.

    The GRE end point for our internal server was configured on Juniper.

     

    So our server's public IP is 38.xx.xx.4 and the remote server is 94.xx.xx.10. My configuration on juniper is as follows:

     

    gr-0/0/0 {
           unit 0 {
                  description gretunnel;
                  tunnel {
                         source 38.xx.xx.4;
                         destination 94.xx.xx.10;
                  }
                  family inet {
                         filter { 
                                input tunnel-inbound;
                         }
                         address 10.0.0.5/32;
                  }
           }

    }

     

    When I do, "show interfaces gr-0/0/0.0 detail",  I get no traffic coming in:

    Traffic statistics:
    Input bytes : 0
    Output bytes : 0
    Input packets: 0
    Output packets: 0
    Local statistics:
    Input bytes : 0
    Output bytes : 0
    Input packets: 0
    Output packets: 0

     


    How can I make this work? The remote server end is configured fine. This used to work before.

     

    If I instead use our juniper (38.xx.xx.111) as the tunnel endpoint, it works:

    gr-0/0/0 {
           unit 0 {
                  description gretunnel;
                  tunnel {
                         source 38.xx.xx.111;
                         destination 94.xx.xx.10;
                  }
                  family inet {
                         filter { 
                                input tunnel-inbound;
                         }
                         address 10.0.0.5/32;
                  }
           }

    }

     

    Now "show interfaces gr-0/0/0.0 detail":

    Traffic statistics:
    Input bytes : 13200232
    Output bytes : 192
    Input packets: 235670
    Output packets: 2
    Local statistics:
    Input bytes : 80
    Output bytes : 192
    Input packets: 1
    Output packets: 2

     

    Any help you can provide will be much appreciated. I would like tunnel endpoints configured on the juniper on behalf of our servers to work.

     

     

    Thanks!:)

    CM


    #GRETunnel
    #endpoint
    #Tunnel
    #SRX650
    #routing


  • 2.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 12:44

    Do you have any active routes pointing to the gr-0/0/0.0 interface as a next-hop?



  • 3.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 12:56

    No I do not  have active routes pointing gr-0/0/0.0 interface as a next-hop. However, what I have is a static route that should make use of the ips coming through the tunnel.

     

    So on the remote side, 92.x.x.0/24 is routed through the tunnel. On my juniper, after I build the tunnel, I have the following static route:

    route 92.x.x.0/24 next-hop 38.xx.xx.15;

     

    So Im basically letting 38.xx.xx.15 use this range.

     

    But this isn't working since my tunnel on the juniper side is empty (0 traffic coming through).

     

    Thanks



  • 4.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 13:15

    Another short question.

    What is the status of the gr-0/0/0.0 interface when you have address 38.xx.xx.4 configured as a tunnel source?



  • 5.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 14:30

    It is up:

     

    Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 94.xx.xx.10:38.xx.xx.4:47:df:64:0000000000000000 Encapsulation: GRE-NULL
    Gre keepalives configured: Off, Gre keepalives adjacency state: up
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: 1476
    Flags: Sendbcast-pkt-to-re
    Addresses, Flags: Is-Primary
    Local: 10.0.0.5

     

    This state is similar to other tunnels I create. The tunnel directly to juniper looks the same way. 

     

     



  • 6.  RE: GRE Tunnel on Juniper not working

    Posted 10-14-2013 12:59

    The status is up



  • 7.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 16:35

    Wading into unfamiliar teritory, I have usually seen gre tunnels set up between the two routers that separate the networks but I never cease learning. Let me make a suggestion, that you try. 

    Do you have a static route like this already? I assume you do anyways.
    set static route 94.xx.xx.10/32 next-hop gr-0/0/0.0

    The other thing I would look at is to create policy from your untrust zone to look for traffic destined to address 38.xx.xx.111 and tcp port 1723 and or protocol 47 then use a Static NAT pool which translates to 38.xx.xx.4

     

    Or it could be a DNAT that use the servers internal addres dnat pool



  • 8.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 16:55

    I will try that now and let you know.

     

    Thanks!



  • 9.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 17:25

    So when I try the first option which is to add the static route, I can now see outbound traffic but not inbound. However, I do know that the remote tunnel is working. Tcpdump is showing traffic coming through.

     

    Here is the juniper dump (show detail):

    Traffic statistics:
    Input bytes : 0
    Output bytes : 103886
    Input packets: 0
    Output packets: 484
    Local statistics:
    Input bytes : 0
    Output bytes : 0
    Input packets: 0
    Output packets: 0
    Transit statistics:
    Input bytes : 0 0 bps
    Output bytes : 103886 0 bps
    Input packets: 0 0 pps
    Output packets: 484 0 pps

     

    Thanks



  • 10.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 18:08

    Also, the gre traffic is not getting de-encapsulated, which means that it is not going through the tunnel or the tunnel is not working



  • 11.  RE: GRE Tunnel on Juniper not working

    Posted 10-08-2013 19:56

    which is what Juniper will do when you have the tunnel SA/DA the Juniper device and the route to the remote network points to the tunnel. 



  • 12.  RE: GRE Tunnel on Juniper not working

    Posted 10-10-2013 12:40

    HI, 

    I tried out the solution you supplied without any luck.  Anything else I could do to resolve this issue?

     

    Thanks



  • 13.  RE: GRE Tunnel on Juniper not working

    Posted 10-10-2013 14:47

    Hello,

    Your issue is a mistake in the configuration:

     

    gr-0/0/0 {
           unit 0 {
                  description gretunnel;
                  tunnel {
                         source 38.xx.xx.111;
                         destination 94.xx.xx.10;
                  }
                  family inet {
                         filter { 
                                input tunnel-inbound;
                         }
                         address 10.0.0.5/32;
                  }
           }
    
    }

     This /32 address won't work. What You can do is :

    - on PTP|tunnel interface, and IPv4 address with /32 mask also requires "destination" statement. Then You have to use this "destination" IPv4 address as next-hop for static routes pointing to the tunnel.

    - much easier solution is to configure /31 or /30 netmask on gr-0/0/0.0 interface and use remote IPv4 address as next-hop for static routes pointing to the tunnel.

    HTH

    Thanks

    Alex



  • 14.  RE: GRE Tunnel on Juniper not working

    Posted 10-10-2013 19:03

    I changed it to a /31 without any luck.  I got an error when I tried to use /30:

     

    [edit interfaces gr-0/0/0 unit 2 family inet]
    'address 10.0.0.7/30'
    Cannot assign broadcast address as ip address
    error: configuration check-out failed

     

    I was able to change it to /31 but still no traffic.

     

    Any suggestions?



  • 15.  RE: GRE Tunnel on Juniper not working

    Posted 10-10-2013 19:29

    Hello,

     Point by point:

    1/


    cornz24@yahoo.com wrote:

    I changed it to a /31 without any luck.  I got an error when I tried to use /30:

     

    [edit interfaces gr-0/0/0 unit 2 family inet]
    'address 10.0.0.7/30'
    Cannot assign broadcast address as ip address
    error: configuration check-out failed

     


    10.0.0.7 is a broadcast address on 10.0.0.4/30 subnet. Please use either 10.0.0.5 or 10.0.0.6 for gr-0/0/0.0 addressing.

    2/


    cornz24@yahoo.com wrote:

     

    I was able to change it to /31 but still no traffic.

     

    Any suggestions?



    You have to have a static route pointing either to gr-0/0/0.0 or to remote IP address on the other end of the GRE tunnel (real or implied since there is no ARP in GRE).

    What dst.IPs are there in the packets You are expecting to flow into the tunnel?

    To give You an example of how traffic can be attracted into the GRE tunnel using static routing:

    a/ suppose there is a server farm at the other end of the GRE tunnel

    b/ suppose the server farm is addressed from 203.0.113.0/24 block

    c/ suppose the gr-0/0/0.0 has an IP address 10.0.0.7/31

    d/ then, to attract traffic into GRE tunnel, use either one of below configuration commands

     

    set routing-options static route 203.0.113.0/24 next-hop gr-0/0/0.0

     or

     

    set routing-options static route 203.0.113.0/24 next-hop 10.0.0.6

     

    HTH

    Thanks

    Alex

     

     



  • 16.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 01:28

    Ok, here is what I have:

     

    root# show interfaces gr-0/0/0 unit 0
    description myint;
    tunnel {
    source 216.xx.xx.4;
    destination 208.xx.xx.4;
    }
    family inet {
    filter {
    input tunnel-inbound;
    }
    address 10.0.0.6/30;
    }

     

     

    root> show interfaces gr-0/0/0.0
    Logical interface gr-0/0/0.0 (Index 98) (SNMP ifIndex 630)
    Description: myint
    Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 208.xx.xx.4:216.xx.xx.4:47:df:64:0000000000000000 Encapsulation: GRE-NULL
    Gre keepalives configured: Off, Gre keepalives adjacency state: up
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: 1476
    Flags: Sendbcast-pkt-to-re
    Addresses, Flags: Is-Preferred Is-Primary
    Destination: 10.0.0.4/30, Local: 10.0.0.6, Broadcast: 10.0.0.7

     

    Trffic wise, it is still blank as can be seen above. The remote server assigns the peer, 10.0.0.101 to its tunnel. Also, the tunnel is only inbound. No outbound traffic through the tunnel. Will that help or assist in allowing traffic through uni 0?

     

    Thanks

     



  • 17.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 04:32

    Hello,

    Glad to see You are making progress.

     


    cornz24@yahoo.com wrote:

    Trffic wise, it is still blank as can be seen above. The remote server assigns the peer, 10.0.0.101 to its tunnel.

     


    Would You please be able to clarify this phrase?

    Does it mean one of the below:

     

    1/ the remote server expects traffic to arrive with src.ip == 10.0.0.101

    2/ the remote server sends the traffic into the tunnel with src.ip == 10.0.0.101 and expects the return traffic to arrive with dst.ip == 10.0.0.101

    3/ the remote server expects DHCP transaction to occur via this tunnel and is ready to assign 10.0.0.101 address to whoever initiates DHCP Discovery via this tunnel?

    4/ something else not covered in (1)...(3) above?

     

    Putting as much detail as You cna share into Your posts will help to progress Your case.

    HTH

    Thanks

    Alex



  • 18.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 13:25

    From the remote side, I created a gre tunnel. This tunnel is tunneling a /24 range to our network. Whenever IPs  are added to the tunnel on the remote side, a peer ip of 10.0.0.101 appears:

     

    ip addr add 10.0.0.101 peer 76.xx.xx.1 dev mygretun

    ip addr add 10.0.0.101 peer 76.xx.xx.2 dev  mygretun

    ...

    ... and so on.

     

    Now ip addr will look like this

     

    inet 10.0.0.101 peer 76.xx.xx.1/32 scope global mygretun

    inet 10.0.0.101 peer 76.xx.xx.1/32 scope global mygretun

     

    And tcpdump on "mygretun" will show traffic going through. Anyone pinging 76.xx.xx.0/24 will be visible in the tunnel and the tcpdump. This has worked flawlessly in the past and still works server-server.

     

    Now, could 10.0.0.101 be a conflicting subnet issue with 10.0.0.6? Any ideas?

     

    Thanks



  • 19.  RE: GRE Tunnel on Juniper not working

    Posted 10-12-2013 07:25

    Hello,

    Excuse my ignorance for being not familiar with your server'  CLI but I'd like to ask some silly questions please:

     

    1/ where exactly the IP address 76.xx.xx.1 is located? (a) on the server, (b) on the JNPR router, (c) a few hops from server but within Your network, (d) outside of Your network - on the internet?

    2/


    cornz24@yahoo.com wrote:
    Anyone pinging 76.xx.xx.0/24 will be visible in the tunnel and the tcpdump.


    Where is the ping going FROM? (a) from the server (b) from the JNPR router, (c) from somewhere else within Your network (d) from outside of Your network?

    Sharing as much information as You can will help us to progress Your case.

    HTH

    Thanks
    Alex

     



  • 20.  RE: GRE Tunnel on Juniper not working

    Posted 10-13-2013 17:27
      |   view attached

    Hi,

    My configuration is attached. The management ip range is 208.34.20.0/24 (changed from the actual one). So please ignore 76.xx.xx.0/24.

     

    The section Im having problems with is gr-0/0/0. When I create a tunnel from a remote server to the juniper, it works. However, when I create a tunnel from the remote server to a server in my network, it does not work. Thie server (the serveer on my network) has a public IP. All tunnel configuration are done on the juniper.

     

    Thanks

    Attachment(s)

    txt
    _juniper.txt   31 KB 1 version


  • 21.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 07:52

    What zone is the gr-0/0/0 interface in? The null zone indicates that the interface was created but not placed in  zone. Null zone will not carry any traffic. If you have not place it in a zone, then please do so. At the top of the forum page, is a welcome article which suggest that users post configurations when asking for hhelp. Most times it is a configuration error that cause issues and withot the configurations, we sometimes go off into log unnecessary guessing and suggestions that could have been avoided.

     

    root> show interfaces gr-0/0/0.0
    Logical interface gr-0/0/0.0 (Index 98) (SNMP ifIndex 630)
    Description: myint
    Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 208.xx.xx.4:216.xx.xx.4:47:df:64:0000000000000000 Encapsulation: GRE-NULL
    Gre keepalives configured: Off, Gre keepalives adjacency state: up
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: 1476
    Flags: Sendbcast-pkt-to-re



  • 22.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 13:06

    I have not setup a security zone. Let me do that now and get back to you.

     

    Thanks



  • 23.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 17:19

    My configuration is rather huge :). Please let me know which section you would like to see and I will dump it.

     

    Thanks



  • 24.  RE: GRE Tunnel on Juniper not working

    Posted 10-11-2013 19:18

    #show security

     

    You can alwasy use a variable to change your iinternal ip address.

     

    All interfaces by default will be in the Null zone and will not pass any traffic. You have to place them in the relevant zones you will create, crete policies to allow traffic within the zone and between zones as required.