Pix 7.2(4) not matching on GRE

Answered Question
Oct 17th, 2009
User Badges:

I have a VPN running between a Pix525 (7.2(4)) and a 2811 router. The VPN works flawlessly except for GRE packets.


I have a tunnel running behind the PIX with a tunnel source of a.a.a.a and a tunnel destination of b.b.b.b. I have an access-list on the Pix with a match list of permit ip host a.a.a.a host b.b.b.b.


So far I have:

1. Ping a.a.a.a with a source of b.b.b.b (works)

2. Sniffed the traffic GRE is properly travelling from the 2811 to the pix but it is passing though the PIX without matching and being encapsulated

3. Changed the tunnel to IPIP mode. Now it works.


It looks like the PIX is just not able to match on GRE traffic. Has anybody seen this?

Correct Answer by Herbert Baerten about 7 years 6 months ago

Sounds like this could be CSCse36327.


Does "clear local-host a.a.a.a" help?

If so, you may want to upgrade to 8.0 and configure "sysopt connection reclassify-vpn"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Herbert Baerten Sun, 10/18/2009 - 11:54
User Badges:
  • Cisco Employee,

Sounds like this could be CSCse36327.


Does "clear local-host a.a.a.a" help?

If so, you may want to upgrade to 8.0 and configure "sysopt connection reclassify-vpn"

mmacdonald70 Mon, 10/19/2009 - 06:48
User Badges:

Perfect! That was the problem. Thanks. One more question about this.


The document says that "All events except 1 occur when a dynamic crypto map is used without a match address statement." Since I am using a match address statement, does this mean that this issue should only impact me if I remove and reapply the crypto-map and/or isakmp statement on the pix?

Herbert Baerten Tue, 10/20/2009 - 12:25
User Badges:
  • Cisco Employee,

Glad to hear it helped :)


And yes, your interpretation of the bug description seems to be correct to me. Well, to be a little bit more precise: the problem occurs if at some point in time there is GRE traffic but no crypto map or a crypto map without match on GRE.


So once you have the match statement in there, it will only affect you when you remove and reapply the crypto map, or if you remove and re-add the match statement.


Actions

This Discussion