GRE through ASA

Unanswered Question
Apr 26th, 2008

Hi, I am trying to understand how ASA treats GRE traffic. I have a application that needs to set a GRE tunnel between two (internal) WAN acceleration devices across Internet via IPsec VPN, and polycom video traffic is carried by this GRE tunnel for WAN acceleration through PBR. The video conference worked fine if the datapath is going thorough normal path (aka, no WAN optimization), but when the video conference traffic is diverted to this GRE tunnel, I can not even get the dial tone on the other side.

I am suspecting that video conference traffic is undergoing un-symmetric routing and ASA is dropping the return traffic if the return traffic is not in GRE. Now here is my question: How ASA processes GRE traffic? does it look deep inside the GRE packet to see whether it is a TCP packet and then randomize the sequence number? or it just transparently route the packet out to different interface exactly like a router would do?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rkalia1 Sat, 04/26/2008 - 15:22

I think u need to permit GRE host in the access-list at both the tunnel end-points on the inside of the ASA. Probably you are using GRE because you are using some dynamic routing protocol between the two GRE tunnel end points. Dynamic routing protocol pkts are multicast in nature. ASA does not pass multicast packets trhough the IPSec tunnel. GRE encapsulates these multicast pkts in GRE pkts and passes it to ASA. GRE pkts are unicast so they get encapsulated by IPSec and are forwarded transparently. ASA does not do any deep inspection of these GRE pkts. ASA justs forwards the pkts to the other side of the IPSec tunnel.


This Discussion