Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
4
Replies

ICMP/GRE

vincentm
Level 1
Level 1

‎10-25-2007 09:06 AM - edited ‎03-09-2019 07:05 PM

I have found that in our GRE DSL environment, client workstations cannot perform a ping or a traceroute from their dos prompts to internal Domain controller servers going over a GRE tunnel. The resources are availabe to them, however they cannot run the ping. Clients receive an "unresponsive" message. I have verified that there are no ACL's blocking the ICMP request. Wanted to know if anyone else out there may be experiencing this. Thanks.

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎10-26-2007 08:45 AM

Mark

I have not seen that symptom before. Are there access lists applied on the GRE tunnel interfaces? If so could you post them?

HTH

Rick

HTH

Rick
0 Helpful

vincentm
Level 1
Level 1
In response to Richard Burts

‎10-26-2007 11:45 AM

Rick,

there is an extended acl on the host side of the connect for the tunnel. It is one line item that permits traffic between the DMZ address and the external peer address.

At the remote device we don't have any ACL's on the tunnel that block ICMP currently.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to vincentm

‎10-26-2007 12:17 PM

Mark

ok lets try a slightly different approach. First can you confirm that other end stations are able to ping and traceroute to the Domain controller (verify that the Domain controller is not rejecting the traffic)?

Second, if an end station does a traceroute, how far do you see the responses going?

HTH

Rick

HTH

Rick
0 Helpful

vincentm
Level 1
Level 1
In response to Richard Burts

‎10-30-2007 06:50 AM

Rick,

I have confirmed that other end stations in the same Service Center where the GRE tunnel is implemented all have the same problem. On the traceroute the path goes to the peer address of the other end of the tunnel, that being the host VPN router back at Corp, and then it drops off. That output is straight off of the client cmd prompt. When I test from my local LAN connection on my machine outside of any GRE VPN tunnel configuration I can ping the DC just fine. I think this may have something to do with the encapsulation going through the VPN tunnel, what do you think?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents