Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 7.2(4) not matching on GRE

I have a VPN running between a Pix525 (7.2(4)) and a 2811 router. The VPN works flawlessly except for GRE packets.

I have a tunnel running behind the PIX with a tunnel source of a.a.a.a and a tunnel destination of b.b.b.b. I have an access-list on the Pix with a match list of permit ip host a.a.a.a host b.b.b.b.

So far I have:

1. Ping a.a.a.a with a source of b.b.b.b (works)

2. Sniffed the traffic GRE is properly travelling from the 2811 to the pix but it is passing though the PIX without matching and being encapsulated

3. Changed the tunnel to IPIP mode. Now it works.

It looks like the PIX is just not able to match on GRE traffic. Has anybody seen this?

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Pix 7.2(4) not matching on GRE

Sounds like this could be CSCse36327.

Does "clear local-host a.a.a.a" help?

If so, you may want to upgrade to 8.0 and configure "sysopt connection reclassify-vpn"

4 REPLIES

Re: Pix 7.2(4) not matching on GRE

Post your config for review, there could be several reasons for what you are seeing. Remove sensitive information from the config.

Cisco Employee

Re: Pix 7.2(4) not matching on GRE

Sounds like this could be CSCse36327.

Does "clear local-host a.a.a.a" help?

If so, you may want to upgrade to 8.0 and configure "sysopt connection reclassify-vpn"

New Member

Re: Pix 7.2(4) not matching on GRE

Perfect! That was the problem. Thanks. One more question about this.

The document says that "All events except 1 occur when a dynamic crypto map is used without a match address statement." Since I am using a match address statement, does this mean that this issue should only impact me if I remove and reapply the crypto-map and/or isakmp statement on the pix?

Cisco Employee

Re: Pix 7.2(4) not matching on GRE

Glad to hear it helped :)

And yes, your interpretation of the bug description seems to be correct to me. Well, to be a little bit more precise: the problem occurs if at some point in time there is GRE traffic but no crypto map or a crypto map without match on GRE.

So once you have the match statement in there, it will only affect you when you remove and reapply the crypto map, or if you remove and re-add the match statement.

165
Views
0
Helpful
4
Replies