[All About Switches]A GRE Tunnel Cannot Go Up After Keepalive Detection Is Configured

Latest reply: Jun 3, 2018 14:04:57 1491 2 0 0

Involved Products and Versions

S series switches running all versions

Networking

20180312191748323001.png

Fault Symptom

After Keepalive detection is configured on Switch_1, the GRE tunneling protocol on Switch_1 goes down, but that on Switch_2 can still go Up.

Cause Analysis

Check tunnel configurations on Switch_1 and Switch_2.

<Switch_1>display current-configuration interface Tunnel 1

#
interface Tunnel1
ip address 192.168.230.1 255.255.255.252
tunnel-protocol gre
keepalive
source 183.203.53.12
destination 183.203.48.197
#

<Switch_2>display current-configuration interface Tunnel 1

#
interface Tunnel1
ip address 192.168.230.2 255.255.255.252
tunnel-protocol gre
source 183.203.48.197
destination 183.203.53.12
#

Check configurations of the two switches. The following uses the configuration of Switch_2 as an example.

[Switch_2]display current-configuration interface Eth-Trunk1

#
interface Eth-Trunk1
description TO-PC/MB-eth-trunk-3*10G
port link-type access
port default vlan 1000
traffic-policy ABC inbound
mode lacp
#

[Switch_2]display traffic policy user-defined

User Defined Traffic Policy Information:
Policy: ABC
Classifier: guolv
Operator: OR
Behavior: guolv
Permit
Total policy number is 1

[Switch_2]display traffic classifier user-defined

User Defined Classifier Information:
Classifier: guolv
Precedence: 5
Operator: OR
Rule(s) : if-match acl 3001
Total classifier number is 1

[Switch_2]display acl 3001

Advanced ACL 3001, 18 rules
Acl's step is 5
rule 5 permit ip source 183.203.46.0 0.0.0.255 (match-counter 0)
rule 10 permit ip source 183.203.47.0 0.0.0.128 (match-counter 0)
rule 15 permit ip source 183.203.48.0 0.0.0.64 (match-counter 0)
rule 20 permit ip source 183.203.49.0 0.0.0.32 (match-counter 0)
rule 25 permit tcp source 183.203.52.0 0.0.0.255 (match-counter 0)
rule 30 permit tcp source 221.131.53.2 0 (match-counter 0)
rule 35 permit ip source 10.231.140.0 0.0.0.255 (match-counter 0)
rule 40 permit ip source 10.231.138.0 0.0.0.255 (match-counter 0)
rule 45 permit ip source 10.231.137.0 0.0.0.255 (match-counter 0)
rule 50 permit ip source 10.231.136.0 0.0.0.255 (match-counter 0)
rule 55 permit ip source 10.231.141.0 0.0.0.255 (match-counter 0)
rule 60 permit ip source 10.231.142.0 0.0.0.255 (match-counter 0)
rule 65 permit ip source 10.231.143.0 0.0.0.255 (match-counter 0)
rule 70 permit ip source 10.231.144.0 0.0.0.255 (match-counter 0)
rule 100 permit tcp destination-port eq www (match-counter 0)
rule 10000 permit tcp tcp-flag ack (match-counter 0)
rule 10001 permit tcp tcp-flag rst (match-counter 0)
rule 4294967294 deny ip (match-counter 0)

Obtain information about packets matching ACL 3001 on Switch_2. A Keepalive packet sent by Switch_1 is as follows:

20180312191749659002.png

After receiving the packet, Switch_2 first decapsulates the packet using GRE, removes the GRE header of the packet, and detects that the destination IP address in the inner IP header is not its IP address. Switch_2 then matches the packet using the traffic policy ABC. The packet matches the last rule in ACL 3001 of the traffic policy, and is discarded. Switch_1 cannot receive a Keepalive response packet, and the GRE tunnel goes Down.

Keepalive packets are not sent to the CPU, but are directly forwarded. Therefore, redirection takes effect for Keepalive packets.

Troubleshooting Procedure

Modify ACL 3001 to disable the switch from discarding Keepalive packets.

Conclusions and Suggestions

Switch_1 and Switch_2 are at two ends of a GRE tunnel. After Keepalive is configured on Switch_1, Switch_1 sends a Keepalive packet. Switch_2 does not send the Keepalive packet from Switch_1 to the CPU, but directly forwards the packet. Switch_1 then sends the packet to the CPU after receiving it, which is different from processing of common protocol packets.

Keepalive detection takes effect unidirectionally rather than bidirectionally on a GRE tunnel.

 

  • x
  • convention:

WoodWood
Created Mar 13, 2018 00:50:21 Helpful(0) Helpful(0)

good
  • x
  • convention:

wissal
MVE Created Jun 3, 2018 14:04:57 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login