07-18-2012 03:39 AM
Maybe this problem has already been taken up somewhere. But I can't find it.. =)
I'm trying to set up a GRE tunnel.
At one of the ends the tunnel is in av routing-instance, type virtual-router.
I have looked at this:
My set up is that tunnel dst is in inet.0.
looks kinda like this:
gr-0/0/0.0(SRX)fe-0/0/7.0 (DHCP) <----[INTERNET]----> ge-0/0/0.0(J-router)gr-0/0/0.30
config on SRX side:
set interfaces fe-0/0/7 description UPLINK
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-attempt 6
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-interval 10
set interfaces gr-0/0/0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 tunnel source xx.xx.xx.100
set interfaces gr-0/0/0 unit 0 tunnel destination yy.yy.yy.17
set interfaces gr-0/0/0 unit 0 tunnel path-mtu-discovery
set interfaces gr-0/0/0 unit 0 family inet address yy.yy.yy.54/30
set security zones security-zone tunnel tcp-rst
set security zones security-zone tunnel host-inbound-traffic system-services all
set security zones security-zone tunnel host-inbound-traffic protocols all
set security zones security-zone tunnel interfaces gr-0/0/0.0
set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface gr-0/0/0.0
set routing-instances R1 routing-options static route 0.0.0.0/0 next-hop gr-0/0/0.0
When the GRE tunnel is not in routing-inst on SRX side the tunnel works.
Am I missing something?
According to link I provided I am not.
I have a flow trace matching on GRE packet running.
It gives errors like:
pak_for_self: No handler function found for proto:47, dst-port:1, drop pkt
packet dropped, packet dropped: for self but not interested.
Thanks in advance...
Solved! Go to Solution.
07-18-2012 08:18 AM
user@srx#set interfaces gr-0/0/0 unit 0 tunnel routing-instance destination R1
07-19-2012 01:40 AM
Do you have a static route to yy.yy.yy.17 in the default routing instance?
07-19-2012 02:19 AM
not a static route but the default route in inet.0 is pointing towards my default gateway.
The dst net is reachable through there.
Shouldn't that be enough?
I tried setting a static route for the dst endpoint and it didn't help.
07-19-2012 03:49 AM
The GRE tunnel seems to be working in one direction.
Packets from SRX -> J-router gets through.
Packets from J-router -> SRX gets dropped at SRX for some reason.
At J-router i can run 'show security flow session protocol gre' and see the tunnel.
But on the SRX side it shows nothing.
So I guess the session ever gets installed on SRX side...?
07-19-2012 04:05 AM
Im not sure what is going on but Protocol 47 is GRE.
"packet dropped: for self but not interested": You are sending traffic to an ip on the device self, but on the destination port is no service/answer or access is prohibited possible.
07-22-2012 08:01 AM
Yes, but I'm not sure what I'm supposed to enable in the config.
According to the Juniper guide on how to set up a GRE iface in a RI I'm good to go.
How would the flow look in my setup?
07-22-2012 11:28 AM
can you post the relevant parts of the SRX config?
what Interface on the SRX is the GRE tunnel from the J-series terminating on? make sure that interface has GRE as an allowed service or protocol in the Zone config.
If it is terminating on a loopback you also need to make sure security policy allows it -- ie if the loopback is in the 'trust' zone, but the internet-facing interface is in the untrust zone, I think you would need a policy like "from untrust to trust, src=j-series, dst=srx-ip-terminating-gre, application gre, then permit"