Hello everyone,
I've been stuck with this GRE tunnel problem for a long time so I had to post it here hoping someone could help me.
The gre tunnel on my SRX340 firewall was working properly, but it hasn't worked properly since the GRE tunnel went down due to a problem with the intermediate server.
One thing I can notice is that from the routing table, I can see the local route generated by the GRE tunnel's creation is displayed as Reject. Normarlly this issue should be caused by that the destination public ip of the GRE tunnel has no valid route, but actually I can ping the destination public ip successfully.
This is my interface configuration:
show configuration interfaces gr-0/0/0
unit 0 {
tunnel {
source 10.111.31.147;
destination 165.225.116.16;
}
family inet {
address 172.20.172.241/30;
}
}
unit 1 {
tunnel {
source 10.111.31.147;
destination 136.226.240.24;
}
family inet {
address 172.20.172.245/30;
}
}
As you might see , my source ip is a private ip, this is because the public ip is on another device and this firewall is connected to its lan port, the same configuration was working before, but the other side can only see the public ip of my side.
Below is my keepalive settings:
show protocols oam
gre-tunnel {
traceoptions {
file gre_tun.log;
flag all;
}
interface gr-0/0/0.1 {
keepalive-time 10;
hold-time 60;
}
interface gr-0/0/0.0 {
keepalive-time 10;
hold-time 60;
}
}
Below is the statistics gr interfaces, sorry it is very long and you can see there is only output traffic for gre but no input one.
show interfaces gr-0/0/0 extensive
Physical interface: gr-0/0/0, Enabled, Physical link is Up
Interface index: 155, SNMP ifIndex: 533, Generation: 158
Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
Link flags : Scheduler Keepalives DTE
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point
Statistics last cleared: Never
Traffic statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Logical interface gr-0/0/0.0 (Index 91) (SNMP ifIndex 555) (Generation 162)
Flags: Up Point-To-Point SNMP-Traps 0x0
IP-Header 165.225.116.16:10.111.31.147:47:df:64:0000000000000000
Encapsulation: GRE-NULL
Copy-tos-to-outer-ip-header: Off, Copy-tos-to-outer-ip-header-transit: Off
force-control-packets-on-transit-path: Off
Gre keepalives configured: On, Gre keepalives adjacency state: down
Traffic statistics:
Input bytes : 0
Output bytes : 405280
Input packets: 0
Output packets: 5066
Local statistics:
Input bytes : 0
Output bytes : 405280
Input packets: 0
Output packets: 5066
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Security: Zone: untrust
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe l3-ha
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 0
Connections established : 0
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1476
Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0,
NH drop cnt: 0
Generation: 180, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 172.20.172.240/30, Local: 172.20.172.241,
Broadcast: 172.20.172.243, Generation: 175
Logical interface gr-0/0/0.1 (Index 92) (SNMP ifIndex 556) (Generation 163)
Flags: Up Point-To-Point SNMP-Traps 0x0
IP-Header 136.226.240.24:10.111.31.147:47:df:64:0000000000000000
Encapsulation: GRE-NULL
Copy-tos-to-outer-ip-header: Off, Copy-tos-to-outer-ip-header-transit: Off
force-control-packets-on-transit-path: Off
Gre keepalives configured: On, Gre keepalives adjacency state: down
Traffic statistics:
Input bytes : 0
Output bytes : 405280
Input packets: 0
Output packets: 5066
Local statistics:
Input bytes : 0
Output bytes : 405280
Input packets: 0
Output packets: 5066
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Security: Zone: untrust
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe l3-ha
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 0
Connections established : 0
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1476
Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0,
NH drop cnt: 0
Generation: 181, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 172.20.172.244/30, Local: 172.20.172.245,
Broadcast: 172.20.172.247, Generation: 177
Please help me out, I don't want to make this post too long but if more settings are needed I can add them later!
------------------------------
ALEX SHEN
------------------------------