Cisco Support Community

GRE packets do not encrypt on an ASA or a PIX Firewall that runs software version 7.x

Core issue

This issue is due to the presence of Cisco bug ID CSCse36327.

This issue occurs when the IPSec tunnel previously worked and one of these events occurred:

  • The crypto map or Internet Security Association and Key Management Protocol (ISAKMP) is removed and reapplied to the interface.

  • The PIX Firewall or Cisco Adaptive Security Appliance (ASA) is upgraded to version 7.x from version 6.x.

  • The PIX or ASA is rebooted.

  • The remote IPSec peer is rebooted.

What is GRE?

Generic Routing Encapsulation (GRE) is a protocol which is used to encapsulate packets in order to route other protocols over IP network. It was originally developed by Cisco.

GRE is a tunneling tool meant to carry any OSI Layer 3 protocol over an IP network, so a private point-to-point connection is created alike VPN 


As a workaround, use a match address statement for the Generic Routing Encapsulation (GRE) traffic. If the crypto map and/or ISAKMP is removed and reapplied, issue the clear local-host command.