Hi, I am trying to understand how ASA treats GRE traffic. I have a application that needs to set a GRE tunnel between two (internal) WAN acceleration devices across Internet via IPsec VPN, and polycom video traffic is carried by this GRE tunnel for WAN acceleration through PBR. The video conference worked fine if the datapath is going thorough normal path (aka, no WAN optimization), but when the video conference traffic is diverted to this GRE tunnel, I can not even get the dial tone on the other side.
I am suspecting that video conference traffic is undergoing un-symmetric routing and ASA is dropping the return traffic if the return traffic is not in GRE. Now here is my question: How ASA processes GRE traffic? does it look deep inside the GRE packet to see whether it is a TCP packet and then randomize the sequence number? or it just transparently route the packet out to different interface exactly like a router would do?
I think u need to permit GRE host in the access-list at both the tunnel end-points on the inside of the ASA. Probably you are using GRE because you are using some dynamic routing protocol between the two GRE tunnel end points. Dynamic routing protocol pkts are multicast in nature. ASA does not pass multicast packets trhough the IPSec tunnel. GRE encapsulates these multicast pkts in GRE pkts and passes it to ASA. GRE pkts are unicast so they get encapsulated by IPSec and are forwarded transparently. ASA does not do any deep inspection of these GRE pkts. ASA justs forwards the pkts to the other side of the IPSec tunnel.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :