Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa&gre

Hi.

I have problems with an ASA 5510 and GRE.

I can't make a gre tunnel from the inside network to a host on the internet. I only get to the part where I have to enter the username and password and there it breaks. I get a teardown gre connection in the logs exactly after 30 sec.

The inside network and outside network both have real ip addresses so I have no NAT configured and no need for NAT.

I tried fixup protocol pptp 1723 and inspect pptp.

The ACLs allow both gre and tcp 1723 both on the outside and on the inside (I also tried with allow ip any any to be sure it's not ACL related).

Any ideas?

7 REPLIES
Cisco Employee

Re: asa&gre

Hello,

Can you please post the output of "show service-policy" and "show asp drop"

commands? Please follow below steps before collecting the output:

-- Clear the counters i.e. clear service-policy & clear asp drop

-- Initiate a GRE tunnel session

-- Once it fails, issue "show service-policy" and "show asp drop"

Regards,

NT

New Member

Re: asa&gre

Hello

Thanks for the reply. Here is the output:

Result of the command: "show service-policy"

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 743, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 3, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: pptp, packet 14, drop 0, reset-drop 0

Interface inside10:
  Service-policy: inside10-policy
    Class-map: inside10-class
      IPS: card status Up, mode inline fail-open, sensor vs0
        packet input 0, packet output 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: pptp_policy
    Class-map: pptp-port
      Inspect: pptp, packet 0, drop 0, reset-drop 0
    Class-map: outside-class
      IPS: card status Up, mode inline fail-open, sensor vs0
        packet input 0, packet output 0, drop 0, reset-drop 0


Result of the command: "show asp drop"

Frame drop:
  First TCP packet not SYN (tcp-not-syn)                                     145
  TCP failed 3 way handshake (tcp-3whs-failed)                                21
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                   21
  Dropped pending packets in a closed socket (np-socket-closed)                2

Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15

Flow drop:

Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15

Cisco Employee

Re: asa&gre

Hello,

I see that you have an IPS module installed on the firewall. Can you bypass

the IPS module for the PPTP traffic and see if that helps?

Regards,

NT

New Member

Re: asa&gre

Hi

I bypassed the IPS for all the traffic with the same result

Cisco Employee

Re: asa&gre

can you collect some captures on the inside and outside of ASA, so that we can see where it is failing


also have you tried bypassing the firewall does it work fine (just to confirm that the configuration is fine)

any way the captures on ASA's inside and outside will tell us who and hopefully why the device is dropping the packet

Cisco Employee

Re: asa&gre

Hello,

What is the code version you are running on the firewall?

Regards,

NT

Re: asa&gre

Post the log level 7.

Post the config.

300
Views
0
Helpful
7
Replies