PIX-to-PIX GRE one way only

Unanswered Question
Aug 20th, 2007

I have configured a GRE tunnel between two routers that are each behind PIX firewalls. I have setup a VPN to encrypt all IP traffic between the routers.

The GRE traffic is only flowing from router A to router B.

I can ping from router A to router B and vice versa. I've verified that those pings are going out via the vpn by doing a 'show ipsec sa' and watching the counters. I have also verified that the GRE tunnel keepalives are being sent by both routers but only router A's packets are making it across. Router B receives A's keep-alives but A does not receive B's.

I did a capture on pix B to verify that the GRE packets from router B are making it to the PIX correctly.

I do not have any specific rules anywhere, on either PIX, or either router for gre. The access-list rule looks like this:

access-list tunnel extended permit ip xx.xx.198.40 255.255.255.252 xx.xx.198.44 255.255.255.252

When I do a 'packet-tracer' on pix B I see that everything but GRE goes out the VPN but all I get for GRE is:

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 2696171, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: allow

I have no idea how to view details on flow id 2696171.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion