[j-nsp] GRE tunnel - inbound traffic drops
Volker D. Pallas
juniper-nsp at sqmail.de
Sun May 23 11:56:38 EDT 2010
Hi,
i'm trying to set up a simple gre-tunnel from an SRX-100 running JUNOS
10.1R2.8 to a remote linux host.
I verified using tcpdump on both sides:
-pings from linux to junos get sent but are never received.(no sign of
them in tcpdump of pp0.0/gre.0)
-pings from junos to linux arrive (also visible in tcpdump of pp0.0) and
are replied to, but the reply does not reach junos
This sounds like a problem with security zones or policies, but I have
tried about *everything* and it never worked - not even with extreme
measures. Temporarily allowed all inbound traffic for pp0.0, put all
involved interfaces into the 'trust'-zone and so on.
this is my basic tunnel-config:
# set interfaces gre unit 0 tunnel source 87.79.237.76
# set interfaces gre unit 0 tunnel destination 80.237.249.84
# set interfaces gre unit 0 family inet6 address
2a01:488:1000:1001:0:50ed:c910:aa01/127
# set security zones security-zone untrust interfaces gre.0
host-inbound-traffic system-services ping
I already switched to ipv4 which was also not working, so i can rule out
that this has something to do with ipv6.
A trace on 'security' also showed the following, which I don't really like:
May 23 15:58:32 15:58:31.1697039:CID-0:RT:pak_for_self: No handler
function found for proto:47, dst-port:2048, drop pkt
There is a second tunnel configured on that linux box to a remote cisco
device ("same" config) and this is working properly.
I would appreciate any help,
thanks in advance,
Volker
More information about the juniper-nsp
mailing list