[j-nsp] GRE tunnel - inbound traffic drops

Volker D. Pallas juniper-nsp at sqmail.de
Sun May 23 11:56:38 EDT 2010


Hi,

i'm trying to set up a simple gre-tunnel from an SRX-100 running JUNOS 
10.1R2.8 to a remote linux host.
I verified using tcpdump on both sides:
-pings from linux to junos get sent but are never received.(no sign of 
them in tcpdump of pp0.0/gre.0)
-pings from junos to linux arrive (also visible in tcpdump of pp0.0) and 
are replied to, but the reply does not reach junos

This sounds like a problem with security zones or policies, but I have 
tried about *everything* and it never worked - not even with extreme 
measures. Temporarily allowed all inbound traffic for pp0.0, put all 
involved interfaces into the 'trust'-zone and so on.

this is my basic tunnel-config:
# set interfaces gre unit 0 tunnel source 87.79.237.76
# set interfaces gre unit 0 tunnel destination 80.237.249.84
# set interfaces gre unit 0 family inet6 address 
2a01:488:1000:1001:0:50ed:c910:aa01/127
# set security zones security-zone untrust interfaces gre.0 
host-inbound-traffic system-services ping

I already switched to ipv4 which was also not working, so i can rule out 
that this has something to do with ipv6.

A trace on 'security' also showed the following, which I don't really like:
May 23 15:58:32 15:58:31.1697039:CID-0:RT:pak_for_self: No handler 
function found for proto:47, dst-port:2048, drop pkt

There is a second tunnel configured on that linux box to a remote cisco 
device ("same" config) and this is working properly.

I would appreciate any help,
thanks in advance,
Volker


More information about the juniper-nsp mailing list