Got it

[All About Switches]A GRE Tunnel Cannot Go Up After Keepalive Detection Is Configured

Latest reply: Jun 3, 2018 14:04:57 2025 2 0 0 0

Involved Products and Versions

S series switches running all versions



Fault Symptom

After Keepalive detection is configured on Switch_1, the GRE tunneling protocol on Switch_1 goes down, but that on Switch_2 can still go Up.

Cause Analysis

Check tunnel configurations on Switch_1 and Switch_2.

<Switch_1>display current-configuration interface Tunnel 1

interface Tunnel1
ip address
tunnel-protocol gre

<Switch_2>display current-configuration interface Tunnel 1

interface Tunnel1
ip address
tunnel-protocol gre

Check configurations of the two switches. The following uses the configuration of Switch_2 as an example.

[Switch_2]display current-configuration interface Eth-Trunk1

interface Eth-Trunk1
description TO-PC/MB-eth-trunk-3*10G
port link-type access
port default vlan 1000
traffic-policy ABC inbound
mode lacp

[Switch_2]display traffic policy user-defined

User Defined Traffic Policy Information:
Policy: ABC
Classifier: guolv
Operator: OR
Behavior: guolv
Total policy number is 1

[Switch_2]display traffic classifier user-defined

User Defined Classifier Information:
Classifier: guolv
Precedence: 5
Operator: OR
Rule(s) : if-match acl 3001
Total classifier number is 1

[Switch_2]display acl 3001

Advanced ACL 3001, 18 rules
Acl's step is 5
rule 5 permit ip source (match-counter 0)
rule 10 permit ip source (match-counter 0)
rule 15 permit ip source (match-counter 0)
rule 20 permit ip source (match-counter 0)
rule 25 permit tcp source (match-counter 0)
rule 30 permit tcp source 0 (match-counter 0)
rule 35 permit ip source (match-counter 0)
rule 40 permit ip source (match-counter 0)
rule 45 permit ip source (match-counter 0)
rule 50 permit ip source (match-counter 0)
rule 55 permit ip source (match-counter 0)
rule 60 permit ip source (match-counter 0)
rule 65 permit ip source (match-counter 0)
rule 70 permit ip source (match-counter 0)
rule 100 permit tcp destination-port eq www (match-counter 0)
rule 10000 permit tcp tcp-flag ack (match-counter 0)
rule 10001 permit tcp tcp-flag rst (match-counter 0)
rule 4294967294 deny ip (match-counter 0)

Obtain information about packets matching ACL 3001 on Switch_2. A Keepalive packet sent by Switch_1 is as follows:


After receiving the packet, Switch_2 first decapsulates the packet using GRE, removes the GRE header of the packet, and detects that the destination IP address in the inner IP header is not its IP address. Switch_2 then matches the packet using the traffic policy ABC. The packet matches the last rule in ACL 3001 of the traffic policy, and is discarded. Switch_1 cannot receive a Keepalive response packet, and the GRE tunnel goes Down.

Keepalive packets are not sent to the CPU, but are directly forwarded. Therefore, redirection takes effect for Keepalive packets.

Troubleshooting Procedure

Modify ACL 3001 to disable the switch from discarding Keepalive packets.

Conclusions and Suggestions

Switch_1 and Switch_2 are at two ends of a GRE tunnel. After Keepalive is configured on Switch_1, Switch_1 sends a Keepalive packet. Switch_2 does not send the Keepalive packet from Switch_1 to the CPU, but directly forwards the packet. Switch_1 then sends the packet to the CPU after receiving it, which is different from processing of common protocol packets.

Keepalive detection takes effect unidirectionally rather than bidirectionally on a GRE tunnel.


  • x
  • convention:

Created Mar 13, 2018 00:50:21

View more
  • x
  • convention:

MVE Created Jun 3, 2018 14:04:57

useful document, thanks
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.