Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fernsucht
New Contributor

GRE tunnel not working

Dear fellows,

 

I am trying to troubleshoot a GRE tunnel between two FortiGates: FG30 and FG60. Both devices have public IPs via LTE routers in bridge/IP Passthrough mode giving them static public IPs. 

 

CLI configuration of FortiGate 60:

config system gre-tunnel     edit "tofg30"         set interface "wan1"         set local-gw xxx.125.176.5         set remote-gw xxx.194.12.3     next end config firewall policy     edit 0         set srcintf "internal"         set dstintf "tofg30"             set srcaddr "all"              set dstaddr "all"          set action accept         set schedule "always"             set service "ALL"      next     edit 0         set srcintf "tofg30"         set dstintf "internal"             set srcaddr "all"              set dstaddr "all"           set action accept         set schedule "always"             set service "ALL"       next end config router static     edit 0         set device "tofg30"         set dst 192.168.200.0 255.255.255.0     next end
 CLI configuration of FortiGate 30:
config system gre-tunnel     edit "tofg60"         set interface "wan"         set local-gw xxx.194.12.3         set remote-gw xxx.125.176.5     next end config firewall policy     edit 0         set srcintf "lan"         set dstintf "tofg60"             set srcaddr "all"              set dstaddr "all"         set action accept         set schedule "always"             set service "ALL"      next     edit 0          set srcintf "tofg60"         set dstintf "lan"             set srcaddr "all"              set dstaddr "all"          set action accept         set schedule "always"             set service "ALL"        next end config router static    edit 0         set device "tofg60"         set dst 192.168.145.0 255.255.255.0     next

end

'diagnose sys gre list' on FG60 shows the following:

FGT60DTK18000965 # diagnose sys gre list

 

vd=0 devname=tofg30 devindex=5 ifindex=19

saddr=xxx.125.176.5 daddr=xxx.194.12.3 ref=2

key=0/0 flags=0/0

  RX bytes:0 (0.0 b)  TX bytes:9072 (8.8 kb);

  RX packets:0, TX packets:84, TX carrier_err:0 collisions:0

  npu-info: asic_offload=0, enc/dec=0/0, enc_bk=0/0/0, dec_bk=0/0/0

 

total tunnel = 1

The sniffer on the FG30 shows the following:

 

FG30 # diagnose sniffer packet any "icmp" 4 interfaces=[any] filters=[icmp] 1.126835 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 1.126867 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request 2.150771 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 2.150797 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request 3.176916 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 3.176948 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request 4.199176 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 4.199203 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request 5.222475 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 5.222502 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request 6.249261 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 6.249290 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request 7.272560 lan in 192.168.200.6 -> 192.168.145.99: icmp: echo request 7.272585 tofg60 out 192.168.200.6 -> 192.168.145.99: icmp: echo request ^C 14 packets received by filter 0 packets dropped by kernel

 

FG30 # diagnose sniffer packet any "host xxx.125.176.5" 4 interfaces=[any] filters=[host xxx.125.176.5] 1.177247 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 2.202103 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 3.225327 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 4.250097 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 5.274093 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 6.300461 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 7.324075 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 8.347504 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 9.371989 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 10.393247 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 11.417767 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 12.443039 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 13.465918 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 14.492662 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 15.515573 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 16.538780 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 17.567484 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 18.587913 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 19.611245 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 20.635706 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 21.658724 wan out 216.194.12.3 -> xxx.125.176.5: gre: length 88 proto-800 ^C 21 packets received by filter 0 packets dropped by kernel

 

'get sys interface' shows the following on FG60:

== [ internal ]

name: internal   mode: static    ip: 192.168.145.99 255.255.255.0   status: up    netbios-forward: disable    type: hard-switch   netflow-sampler: disable    sflow-sampler: disable    scan-botnet-connections: disable    src-check: enable    mtu-override: disable    wccp: disable    drop-overlapped-fragment: disable    drop-fragment: disable    

== [ tofg30 ]

name: tofg30   ip: 0.0.0.0 0.0.0.0   status: up    netbios-forward: disable    type: tunnel   netflow-sampler: disable    sflow-sampler: disable    scan-botnet-connections: disable    src-check: enable    mtu-override: disable    wccp: disable    

On the LTE router's in front of FG60 I do see in packet capture that there are attempts to reach it from FG30:

5360 15:10:57.115756 192.168.200.6 192.168.145.99 ICMP 122 Echo (ping) request  id=0xa5f7, seq=56/14336, ttl=63 (no response found!)

 

Yet it does not seem to reach FG60, and no pings go out to FG30.

 

I am fairly new to FortiGate and would greatly appreciate any advice based on the above configuration and command outputs as to how to go about troubleshooting this failed GRE tunnel. 

 

 

2 REPLIES 2
emnoc
Esteemed Contributor III

Any packet-filter in the modems? the problem is obvious with no RX packets.

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fernsucht

Thank you, Ken, in fact, I replaced with a different brand of LTE modem and GRE tunnel worked right away without any config changes, meaning FG configs are correct. I will be looking at firewall and packet filters on my LTE modem and will post my findings soon. Thank you much!

Labels
Top Kudoed Authors