[j-nsp] GRE Tunnel - No Transit Traffic

Jonathan Looney jonlooney at gmail.com
Wed Sep 6 14:51:45 EDT 2006 

On 9/6/06, Mellott, Eric <mellotte at netcsc.com> wrote:
> Having problems with a couple M10i's running 7.3R3.6 with tunnel
> pics...I have configured GRE tunnels between the routers and am able to
> get routing protocols to work over the tunnels.  However, I am not able
> to get transit traffic to traverse the tunnels in either direction.  The
> routes to the remote network are via the tunnel, but can't get the
> traffic to go.  When monitoring both routers' interface statistics, I
> can see input and output packets increase along with remote output
> packets, however; I can never see remote input packets increase from
> either end.   Could there be a compatibility issue with the tunnel pic
> and the version of code I am running?  Anybody see this symptom before?

Folks,

I worked with Eric to solve this problem off-list, but I wanted to
summarize the resolution back to the list.  The problem in this case
was that the outbound packets were being blocked by the input filters
on the output interface.

When packets are sent to the tunnel or AS PIC for encapsulation and
the tunnel or AS PIC encapsulates the packet, it needs to send the new
(now GRE) packet back to the PFE for processing.  When it sends this
outbound packet to the PFE for processing, it sets the input interface
to be the next-hop outbound interface.  This means that the packet is
processed through all the input filters, input service-sets, etc.
applied to the output interface.  Therefore, the *outbound* traffic
needs to be permitted through the *input* filters on the outbound
interface.

For example, assume the following partial config:

interfaces {
 gr-0/0/0 {
   unit 0 {
     tunnel {
       source 1.1.1.1;
       destination 2.2.2.2;
     }
   }
 }
  fe-1/0/0 {
   unit 0 {
     family inet {
       filter {
         input inputfilter;
       }
     }
   }
 }
}


Assume that a route lookup on 2.2.2.2 (the tunnel destination) shows a
next-hop of fe-1/0/0.0.

The firewall filter "inputfilter" needs to allow GRE packets from
1.1.1.1 to 2.2.2.2 (i.e. it needs to allow the outbound packets).

-Jon

More information about the juniper-nsp mailing list