Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 7200 and blocked client initiated (MS) VPN

My service provider has recently made some configuration changes within their network [to change route from them to backbone network] - following this ... my WinNT desktop to corporate VPN is failing.

I have traced frames at my end - and I can see that the first steps to the connection are made ... but the first back with GRE is returned almost immediately (ICMP destination unreachable). I guess that this is because GRE (protocol 47) is not enabled to pass through.

Given that this worked one week ago ... can someone tell me the commands I should ask the netowrk operator to run on their 7200 to determine if GRE is being blocked (I have scoured the web and guess that it is to do with Access Lists - but I have no access to CISCO documentation).

Is GRE blocked by default?

Is it possible that the old Access List enabled GRE to old network provider link and now that they have chage network provider ... they have lost the Permit GRE to the ISP address.

[the ICMP comes back in 0.0026 seconds - which is same time as PING to the 7200 and too fast for response from next downstream router at backbone ISP (0.005)

Paul Webster

New Member

Re: Cisco 7200 and blocked client initiated (MS) VPN

Try and have your SP do these.

sh interfaces tunnel (number of tunnel that the "tunnel mode gre ip" is configured)

check to see if the tunnel is not shutdown.

check to see if tunnel protocol gre/ip is up

Have them (your SP) try and ping the GRE tunnel endpoint (router within your

Corporate N/W)

Sunil Wadwani

Cisco TME

New Member

Re: Cisco 7200 and blocked client initiated (MS) VPN

The SP can ping my end point - a W2K server [I can ping and tracert through the 7200 to that end-point without problem].

A question though ... [SP not very responsive] ... I may have misunderstood, but is using Tunnel making a specific route available for this traffic rather than a generic config that allows GRE to get through? [this was working previously when my SP did not know my end-point details and would not have set up a specific targetted end-point]

Is it possible that the 7200 decides not to push the GRE through because it knows that my source address is NAT'd?


CreatePlease to create content