Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

GRE tunnel bound to a loopback interface in a VSYS is not working.

0

0

Article ID: KB24960 KB Last Updated: 18 Jun 2012Version: 1.0
Summary:
A GRE tunnel bound to a loopback interface in a custom VSYS on an ISG2000, was not working. Needed to reassign the loopback interface to the correct zone.
Symptoms:
A GRE tunnel interface was configured in a custom VSYS on an ISG2000, and was bound to a loopback interface in the same VSYS. Routing and policies were configured on the relevant VRs and the remote device (GRE peer) so that the loopback interface was reachable via ping, but the GRE traffic continued to be dropped. Debug flow basic showed the received GRE packets being dropped with "for self, but not interested".
Cause:

Solution:
In the Concepts and Examples (C&E) Guide under the Multicast Routing chapter, there is a note stating the following:

NOTE: You can enable GRE on a tunnel interface that is bound to a loopback interface as long as the loopback interface is on the same zone as the outgoing interface.

In the above mentioned configuration, the "outgoing" (physical) interface was in the Root VSYS' Untrust zone, but the loopback interface that the GRE tunnel was bound to was in the Trust zone of the custom VSYS, so it was failing.

NB: Changing the loopback to the Untrust zone of the custom VSYS was no good and still failed. The loopback interface needed to be created in the Root VSYS Untrust zone, the same as the physical interface.

The Untrust zone being shared, the loopback was available in the custom VSYS to bind the GRE tunnel to. After this change, the GRE tunnel began working and the GRE keepalives flagged the interface as "up".

nsisg2000-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready 

Interfaces in vsys Root: 
Name           IP Address                        Zone        MAC            VLAN State VSD Vsys 
mgt            192.168.1.1/24                    MGT         0010.dbbb.e700    -   U   -   Root 
eth1/1         172.27.18.191/24                  Untrust     0010.dbbb.e707    -   U   -   Root 
eth1/2         0.0.0.0/0                         Null        0010.dbbb.e708    -   U   -   Root 
loopback.1     23.4.4.4/32                       Untrust     N/A               -   U   -   Root 
vlan1          0.0.0.0/0                         VLAN        0010.dbbb.e70f    1   D   -   Root 
null           0.0.0.0/0                         Null        N/A               -   U   -   Root 
nsisg2000->


nsisg2000-> enter vsys test
nsisg2000(test)-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready 

Interfaces in vsys test: 
Name           IP Address                        Zone        MAC            VLAN State VSD Vsys 
eth1/1         172.27.18.191/24                  Untrust     0010.dbbb.e707    -   U   -   Root 
eth1/2         0.0.0.0/0                         Null        0010.dbbb.e708    -   U   -   Root 
tun.1          23.10.10.1/24                     Trust-test  N/A               -   U   -   test 
loopback.1     23.4.4.4/32                       Untrust     N/A               -   U   -   Root <-- Created in Root VSYS (working)
loopback.2     0.0.0.0/0                         Untrust     N/A               -   U   -   test <-- Created in custom VSYS (fails)
null           0.0.0.0/0                         Null        N/A               -   U   -   Root 
nsisg2000(test)-> 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search