Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE through ASA

Hi, I am trying to understand how ASA treats GRE traffic. I have a application that needs to set a GRE tunnel between two (internal) WAN acceleration devices across Internet via IPsec VPN, and polycom video traffic is carried by this GRE tunnel for WAN acceleration through PBR. The video conference worked fine if the datapath is going thorough normal path (aka, no WAN optimization), but when the video conference traffic is diverted to this GRE tunnel, I can not even get the dial tone on the other side.

I am suspecting that video conference traffic is undergoing un-symmetric routing and ASA is dropping the return traffic if the return traffic is not in GRE. Now here is my question: How ASA processes GRE traffic? does it look deep inside the GRE packet to see whether it is a TCP packet and then randomize the sequence number? or it just transparently route the packet out to different interface exactly like a router would do?

New Member

Re: GRE through ASA

I think u need to permit GRE host in the access-list at both the tunnel end-points on the inside of the ASA. Probably you are using GRE because you are using some dynamic routing protocol between the two GRE tunnel end points. Dynamic routing protocol pkts are multicast in nature. ASA does not pass multicast packets trhough the IPSec tunnel. GRE encapsulates these multicast pkts in GRE pkts and passes it to ASA. GRE pkts are unicast so they get encapsulated by IPSec and are forwarded transparently. ASA does not do any deep inspection of these GRE pkts. ASA justs forwards the pkts to the other side of the IPSec tunnel.

CreatePlease to create content