# GRE tunnel stops working



## qwaven (Aug 24, 2010)

Hi all,

I have a FreeBSD 8.1-Release server running with Squid. I've setup WCCP between it and a Cisco ASA. This communicates via GRE tunnel. I also have PF running.

Right now the GRE tunnel is initiated by the ASA and works, however after anywhere between 1-5minutes it seems to stop working and have to re initiate the GRE tunnel.

I'm wondering if anyone has any idea why the GRE tunnel is failing to stay active or how I can tell what is causing it to stop?

Thanks for your help!


----------



## Business_Woman (Aug 24, 2010)

I belive cisco routers uses a timer for the tunnel duration, before it tries to re-authenticate.

Try to debug GRE traffic on the ASA, you should see somekind of teardown/re-auth


----------



## qwaven (Aug 26, 2010)

Thanks of your reply Business Woman. 

I have not been able to find a debug command for GRE on Cisco. However I do not believe the problem is with Cisco as the same device worked fine with a previous machine. 

Would there be some troubleshooting I can do on the BSD machine?

Thanks!


----------



## qwaven (Aug 31, 2010)

Anyone?


----------



## DutchDaemon (Aug 31, 2010)

Do you have any additional information? If you don't get a reply, there's probably not enough of it. In other words: don't bump, add information.


----------



## qwaven (Sep 1, 2010)

What sort of information would you like? I'm looking for troubleshooting steps as I have no idea why the connection is dropping.

Below is my PF config which probably has some redundant lines. Simplification ideas are always welcome.


```
#Modified on Aug 24 2010

int_if = "{ bge0 }"
ext_if = "{ bge1 }"

localip = "{ **censored** }"
wanip = "{ **censored** }"
dot7 = "{ **censored** }"

set skip on lo0
#set skip on gre0

#set timeout tcp.first 120
#set timeout tcp.established 86400
#set timeout { adaptive.start 6000, adaptive.end 12000 }
#set limit states 10000
set loginterface bge0
set loginterface bge1
set loginterface gre0
set optimization normal
set block-policy drop

scrub in on $ext_if all fragment reassemble
scrub in on $int_if all no-df random-id fragment reassemble

#UPLOAD SPEED
altq on $ext_if cbq bandwidth 4Mb queue { ou_std, ou_ack }

queue ou_ack bandwidth 10% priority 7 cbq(borrow red)
queue ou_std bandwidth 90% priority 5 cbq(default borrow red)

#DOWNLOAD SPEED
altq on $int_if cbq bandwidth 8Mb queue { in_std, in_ack, in_ssh }

queue in_ack bandwidth 10% priority 7 cbq(borrow red)
queue in_ssh bandwidth 5% priority 6 cbq(borrow red)
queue in_std bandwidth 85% cbq(default borrow red)

nat on $ext_if from **censored** to any -> **censored**
nat on $ext_if from 127.0.0.1 to any -> **censored**
no nat on lo0
no nat on $ext_if from $localip
no nat on $ext_if from $wanip

rdr on gre0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080

block in log on $ext_if from any to any
block out log on $ext_if from any to any
block in on $ext_if from no-route to any

block in on $int_if from any to any


pass out on $ext_if inet proto icmp from any to any
pass out on $int_if inet proto icmp from any to any

pass out on $ext_if inet proto tcp from $wanip to any port ftp modulate state queue ( ou_std, ou_ack )
pass out on $ext_if inet proto tcp from $wanip to any port www modulate state queue ( ou_std, ou_ack )
pass out on $ext_if inet proto tcp from $wanip to any port > 1024 queue ( ou_std, ou_ack )

pass out on $ext_if inet proto tcp from $localip to any modulate state queue ( ou_std, ou_ack )
pass out on $ext_if inet proto udp from $localip to any keep state queue ( ou_std, ou_ack )
pass out on $ext_if inet proto tcp from any to any port ssh modulate state queue ( ou_std, ou_ack )

pass quick on $int_if inet proto udp from any to any port domain keep state
pass quick on $int_if inet proto udp from any to any port ntp keep state
pass quick on $int_if inet proto udp from any to any port 2048 keep state queue ( in_std, in_ack )
pass quick on $int_if inet proto gre from any to any queue ( in_std, in_ack )

pass in quick on $int_if inet proto tcp from $dot7 to $localip port ssh modulate state queue ( in_ssh, in_ack )
pass in quick on $int_if inet proto tcp from $dot7 to $localip port 667 modulate state queue ( in_std, in_ack )
pass in quick on $int_if inet proto tcp from any to any port www modulate state queue ( in_std, in_ack )
pass in quick on $int_if inet proto tcp from any to any port 3128 modulate state queue ( in_std, in_ack )
pass in quick on $int_if inet proto tcp from any to any port 8080 modulate state queue ( in_std, in_ack )

pass in quick on gre0 inet proto tcp from $dot7 to $localip port ssh modulate state queue ( in_ssh, in_ack )
pass in quick on gre0 inet proto tcp from any to any port www modulate state queue ( in_std, in_ack )
pass in quick on gre0 inet proto tcp from any to any port 3128 modulate state queue ( in_std, in_ack )
pass in quick on gre0 inet proto tcp from any to any port 8080 modulate state queue ( in_std, in_ack )
pass in quick on gre0 inet proto tcp from any to any port >1024 modulate state queue ( in_std, in_ack )

pass in quick log proto gre from any to any queue ( in_std, in_ack )

#pass all from ASA to BSD
pass in quick log on gre0 from **censored** to any modulate state
pass in quick log on $int_if from **censored** to any modulate state
pass in quick log on gre0 from **censored** to any modulate state
pass in quick log on $int_if from **censored** to any modulate state
pass in quick on $int_if inet proto tcp from any to any port >1024 modulate state queue ( in_std, in_ack )
```

Thanks!


----------



## Shamrock (Sep 1, 2010)

qwaven said:
			
		

> I have not been able to find a debug command for GRE on Cisco. However I do not believe the problem is with Cisco as the same device worked fine with a previous machine.



I wouldn't be so sure. I got similiar problems on OpenBSD with GRE tunnel and each time I had to use "shut/noshut" command on cisco.
Check configuration on both cisco and FreeBSD i.e. MTU on interfaces.


----------



## aragon (Sep 2, 2010)

Since you're using PF, it might be a state timeout issue.  Are you seeing any GRE packets getting blocked?

See "STATEFUL TRACKING OPTIONS" in pf.conf(5) for increasing the timeouts on your GRE specific rules.


----------



## qwaven (Sep 2, 2010)

Thanks for your help.

Since my previous post I tried setting the BSD box up similar to how our test machine (which did not disconnect) was previously. This means there is only 1 interface in use, no nat, and block in/out rules are disabled. 

I now notice the tunnel drops even faster since the change. 

(I believe this is what you were referring to, explanation from OPTIONS)


```
set timeout

	   interval   Interval between purging expired states and fragments.
	   frag       Seconds before an unassembled fragment is expired.
	   src.track  Length of time to retain a source tracking entry after
		      the last state expires.
```

I've set in my PF.conf the following and still no change.


```
set optimization conservative
set limit states 20000
set timeout src.track 60
```

Also note the firewall is only used for the proxy purposes and thus changing the timeouts on a global scale should be fine.

Thanks for your help!


----------

