[j-nsp] GRE tunnel - inbound traffic drops
Volker D. Pallas
juniper-nsp at sqmail.de
Sat May 29 05:40:54 EDT 2010
To provide my solution in case someone finds this thread:
-I changed the tunnel to ip-0/0/0[.2] using the same config
-changed the linux end to:
> ip tunnel add tun-nc mode sit remote 87.79.237.76 local 80.237.249.84
> ttl 255
> ip addr add 2a01:488:1000:1001:0:50ed:c910:aa00/127 dev tun-nc
> ip link set tun-nc up multicast on
The tunnel now works fine and both ends are ospfv3-neighbors.
Thank you,
Volker
On 05/23/2010 05:56 PM, Volker D. Pallas wrote:
> Hi,
>
> i'm trying to set up a simple gre-tunnel from an SRX-100 running JUNOS
> 10.1R2.8 to a remote linux host.
> I verified using tcpdump on both sides:
> -pings from linux to junos get sent but are never received.(no sign of
> them in tcpdump of pp0.0/gre.0)
> -pings from junos to linux arrive (also visible in tcpdump of pp0.0) and
> are replied to, but the reply does not reach junos
>
> This sounds like a problem with security zones or policies, but I have
> tried about *everything* and it never worked - not even with extreme
> measures. Temporarily allowed all inbound traffic for pp0.0, put all
> involved interfaces into the 'trust'-zone and so on.
>
> this is my basic tunnel-config:
> # set interfaces gre unit 0 tunnel source 87.79.237.76
> # set interfaces gre unit 0 tunnel destination 80.237.249.84
> # set interfaces gre unit 0 family inet6 address
> 2a01:488:1000:1001:0:50ed:c910:aa01/127
> # set security zones security-zone untrust interfaces gre.0
> host-inbound-traffic system-services ping
>
> I already switched to ipv4 which was also not working, so i can rule out
> that this has something to do with ipv6.
>
> A trace on 'security' also showed the following, which I don't really like:
> May 23 15:58:32 15:58:31.1697039:CID-0:RT:pak_for_self: No handler
> function found for proto:47, dst-port:2048, drop pkt
>
> There is a second tunnel configured on that linux box to a remote cisco
> device ("same" config) and this is working properly.
>
> I would appreciate any help,
> thanks in advance,
> Volker
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list