Discussion:
[c-nsp] GRE tunnel (inside ICMP fails after two pings) - Wits End
David Deutsch
2018-08-23 23:09:03 UTC
Permalink
Hoping the list can help with this one.

I have a basic GRE tunnel between my Cisco ASR1006 and a Linux box.

On the Cisco side:

interface Tunnel100
description Tun 100 - BPT
ip address 172.16.100.1 255.255.255.0
tunnel source x.x.136.1
tunnel destination x.x.x.234

I have several of these basic GRE tunnels from this router, however this is
the only one giving me problems.

The tunnel source is my loopback, I can ping the local 172.168.100.1,
however when I try to ping the other inside:

#ping 172.16.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds:
!!...
Success rate is 40 percent (2/5), round-trip min/avg/max = 97/105/113 ms

It always dies after two pings, every time. Additionally, pinging from the
other side has the exact same results:

ping 172.16.100.1
PING 172.16.100.1 (172.16.100.1): 56 data bytes
64 bytes from 172.16.100.1: seq=0 ttl=255 time=83.430 ms
64 bytes from 172.16.100.1: seq=1 ttl=255 time=88.326 ms
... then nothing.

I've gone as far as to completely rebuild the Linux side with no luck and
I'm starting to feel that I've missed something basic on the Cisco side,
except I've used these tunnels for years.

Any advice/ideas?

Thanks,
David
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
James Bensley
2018-08-24 07:50:12 UTC
Permalink
Have you run a packet capture on your Linux box to see if the Linux box is sending more than two echo requests / that it is receiving more than two echo requests from the router?

Have you run an embedded packet capture on the ASR1k to see what it sends / receives?

What do you see in your interface counters on the GRE tunnel on each box and physical interface on each box? Any drops or errors, do packets come into physical interface but not tunnel interface?

Have you tried applying an ACL on the ASR1K to match and log these packets?

You need to provide some basic debugging info other than "its configured but doesn't work".

Cheers,
James.
Post by David Deutsch
Hoping the list can help with this one.
I have a basic GRE tunnel between my Cisco ASR1006 and a Linux box.
interface Tunnel100
description Tun 100 - BPT
ip address 172.16.100.1 255.255.255.0
tunnel source x.x.136.1
tunnel destination x.x.x.234
I have several of these basic GRE tunnels from this router, however this is
the only one giving me problems.
The tunnel source is my loopback, I can ping the local 172.168.100.1,
#ping 172.16.100.2
Type escape sequence to abort.
!!...
Success rate is 40 percent (2/5), round-trip min/avg/max = 97/105/113 ms
It always dies after two pings, every time. Additionally, pinging from the
ping 172.16.100.1
PING 172.16.100.1 (172.16.100.1): 56 data bytes
64 bytes from 172.16.100.1: seq=0 ttl=255 time=83.430 ms
64 bytes from 172.16.100.1: seq=1 ttl=255 time=88.326 ms
... then nothing.
I've gone as far as to completely rebuild the Linux side with no luck and
I'm starting to feel that I've missed something basic on the Cisco side,
except I've used these tunnels for years.
Any advice/ideas?
Thanks,
David
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Chris Jones
2018-08-28 09:37:34 UTC
Permalink
Try turning off keep alive on the Cisco side (“no keepalive"). I’ve seen issues with GRE tunnels to non-Cisco boxen with that enabled (even when the other side supposedly supports it)

Chris
Post by David Deutsch
Hoping the list can help with this one.
I have a basic GRE tunnel between my Cisco ASR1006 and a Linux box.
interface Tunnel100
description Tun 100 - BPT
ip address 172.16.100.1 255.255.255.0
tunnel source x.x.136.1
tunnel destination x.x.x.234
I have several of these basic GRE tunnels from this router, however this is
the only one giving me problems.
The tunnel source is my loopback, I can ping the local 172.168.100.1,
#ping 172.16.100.2
Type escape sequence to abort.
!!...
Success rate is 40 percent (2/5), round-trip min/avg/max = 97/105/113 ms
It always dies after two pings, every time. Additionally, pinging from the
ping 172.16.100.1
PING 172.16.100.1 (172.16.100.1): 56 data bytes
64 bytes from 172.16.100.1: seq=0 ttl=255 time=83.430 ms
64 bytes from 172.16.100.1: seq=1 ttl=255 time=88.326 ms
... then nothing.
I've gone as far as to completely rebuild the Linux side with no luck and
I'm starting to feel that I've missed something basic on the Cisco side,
except I've used these tunnels for years.
Any advice/ideas?
Thanks,
David
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/ci

Loading...