Pix 7.2(4) not matching on GRE

Answered Question
Oct 17th, 2009

I have a VPN running between a Pix525 (7.2(4)) and a 2811 router. The VPN works flawlessly except for GRE packets.

I have a tunnel running behind the PIX with a tunnel source of a.a.a.a and a tunnel destination of b.b.b.b. I have an access-list on the Pix with a match list of permit ip host a.a.a.a host b.b.b.b.

So far I have:

1. Ping a.a.a.a with a source of b.b.b.b (works)

2. Sniffed the traffic GRE is properly travelling from the 2811 to the pix but it is passing though the PIX without matching and being encapsulated

3. Changed the tunnel to IPIP mode. Now it works.

It looks like the PIX is just not able to match on GRE traffic. Has anybody seen this?

I have this problem too.
0 votes
Correct Answer by Herbert Baerten about 7 years 1 month ago

Sounds like this could be CSCse36327.

Does "clear local-host a.a.a.a" help?

If so, you may want to upgrade to 8.0 and configure "sysopt connection reclassify-vpn"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Herbert Baerten Sun, 10/18/2009 - 11:54

Sounds like this could be CSCse36327.

Does "clear local-host a.a.a.a" help?

If so, you may want to upgrade to 8.0 and configure "sysopt connection reclassify-vpn"

mmacdonald70 Mon, 10/19/2009 - 06:48

Perfect! That was the problem. Thanks. One more question about this.

The document says that "All events except 1 occur when a dynamic crypto map is used without a match address statement." Since I am using a match address statement, does this mean that this issue should only impact me if I remove and reapply the crypto-map and/or isakmp statement on the pix?

Herbert Baerten Tue, 10/20/2009 - 12:25

Glad to hear it helped :)

And yes, your interpretation of the bug description seems to be correct to me. Well, to be a little bit more precise: the problem occurs if at some point in time there is GRE traffic but no crypto map or a crypto map without match on GRE.

So once you have the match statement in there, it will only affect you when you remove and reapply the crypto map, or if you remove and re-add the match statement.

Actions

This Discussion