GRE Tunnel Not coming up

Unanswered Question
Feb 2nd, 2009

Hi Friends,

I have a strange issue with simple GRE Tunnel. There is a Tunnel configured between Downstream and Headquarters. However, the tunnel is showing down even though all the configurations are in place. config details is as attached. We have confirmed that the tunnel desinations, tunnel source and the static route are all in place. One Strange thing we find is that while doing the debug for keepalives, the routers only seem to be sending keepalives, but does not seem to receive it. We have removed and applied back the tunnel config, reloaded the router. Any suggestions on this is highly appreciated. Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Mon, 02/02/2009 - 06:03

Hello Manoj,

there is no bidirectional IP connectivity between the two ip addresses in use or some device in the middle like a firewall is filtering one side of communication.

try to perform an extended pin using the same ip addresses that are used as GRE endpoints

if this doesn't work the tunnel cannot come up.

By using the keepalive on GRE tunnel the tunnel state is conditioned on the correct sending and receiving of GRE keepalives.

Be aware that this a feature that was added later to IOS so it is also possible that one of the two devices is not able to send GRE keepalives correctly.

Perform the basic checks I suggested above.

Hope to help


gojericho0 Mon, 02/02/2009 - 10:50

I noticed as well, but not sure if it would affect the tunnel from establishing...

The SNM on tunnels are not the same on both routers

Richard Burts Mon, 02/02/2009 - 11:20


I agree with Giuseppe that the most likely cause of the problem is that the GRE packets are not making it through to the other peer. I notice that each router has some number greater than zero in the packets sent but has zero in the packets received.

I also notice a mismatch in the configurations. On the downstream router you have the subnet mask as /24:

ip address

but on the headquarters router the mask is /30:

ip address

I am not sure that this would cause the problem that you are expecting, but it is something that should be cleaned up.



Manoj Wadhwa Mon, 02/02/2009 - 22:02

Hi Friends,

1. The Subnet Mask is not an issue. I noticed it earlier as well and changed to /24 both the ends. It still does not work.

2. The end to end ping test is a challenge because some ISP's dont allow ping/ tracert . I have a few other downstream sites in which the setup is working fine. But end to end ping still fails even though there is no access list configured at our end.

Are there any other debugs that can help us drive down still further. Thanks!

Best Regards,


Giuseppe Larosa Mon, 02/02/2009 - 23:30

Hello Manoj,

if you cannot test with ping and traceroute you cannot understand if there is a connectivity problem.

I would do the following:

disable GRE keepalive on both ends

assign a private ip address loopback on each side


loop 14

ip address

from other router add a static route

ip route tunnel X

do the same on the opposite node:

add a loopback here

from first node add a static route

Now you can ping from loopback to loopback traffic is encapsulated in GRE.

if you still cannot receive the ICMP packets with source and destination the loopbacks you can say that there is no connectivity.

Otherwise if there is one of the two routers donìt support GRE keepalive correctly

Hope to help


m.scafidi Wed, 02/25/2009 - 04:07

Hi all..

i'm finding about the same problem in a simplier enviroment (configs attached):

i have two routers (Tunnel-1 and Tunnel-2) connected through a third one (Center) and i'm trying to build a GRE tunnel from a loopback interface on Tunnel-1 to a loopback interface on Tunnel-2 (I already tried using physical interfaces).

static routes on the 3 routers make tunnel sources and destinations reachable each other.

Without configuring keepalives tunnel comes up but it's not working (tunnel interfaces don't ping each other and i cant ping for example interface Tunnel-1 GigabitEthernet0/1.1 from Tunnel-2)..

After Configuring Keepalives the tunnel goes down. i have the same Manoj's output debugging tunnel on both ends..

The routers are two Cisco 1841 and a 3825 with the latest Advanced Enterprise IOS..

any suggestions? thanks all


Richard Burts Wed, 02/25/2009 - 05:12


I have looked through your configs. One of the things that I notice is that there is a mismatch in the tunnel configuration about source and destination address. On tunnel-1 the tunnel destination is but on tunnel-2 the source address is where to be consistent with tunnel-1 I would expect

I suggest that you revise the configs and make the source-destination match between the routers so that what one router configures as the destination is the source on the other router. Give this a try and let us know if it works better.




This Discussion