Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎03-27-2024 10:30 PM Edited on ‎03-27-2024 10:31 PM By Community Manager

Article Id 306853

Techncal Tip: GRE tunnel does not work after upgrading to v7.4.X firmware

Description

 

This article describes that the GRE tunnel does not work after upgrading to v7.4.X.

 

Scope

 

FortiGate v7.4.X.

 

Solution

 

After upgrading FortiGate from v7.0.x or v7.2.x to v7.4.X, traffic via the GRE tunnel may be dropped.  The below logs can be collected to confirm the issue:

 

  1. Running sniffer on FortiGate will show that the traffic is sent out but the traffic is not received on the other end:

 

FGT1 # diagnose sniffer packet any 'ip proto 47 or icmp' 4 1000
0.135994 mgmt in 10.10.1.240 -> 8.8.8.8: icmp: echo request
0.136059 gre-tun1 out 10.255.10.1 -> 8.8.8.8: icmp: echo request

 

  1. GRE Interface stats will show that error and collision counter increases:


fnsysctl ifconfig gre-tun1
gre-tun1 Link encap:Unknown HWaddr 8E:D7:73:84:00:00
inet addr:10.255.10.1 Mask:255.255.255.254
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1476 Metric:1
RX packets:16908668 errors:0 dropped:0 overruns:0 frame:0
TX packets:2459 errors:15593387 dropped:0 overruns:0 carrier:1 <----- Errors:15593387.
collisions:15588326 txqueuelen:0 -----> collisions:15588326
RX bytes:1856614668 (1.7 GB) TX bytes:1606625 (1.5 MB)


gre-tun1 Link encap:Unknown HWaddr 8E:D7:73:84:00:00
inet addr:10.255.10.1 Mask:255.255.255.254
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1476 Metric:1
RX packets:16947707 errors:0 dropped:0 overruns:0 frame:0
TX packets:2459 errors:15630445 dropped:0 overruns:0 carrier:1  <-----Errors:15630445.
collisions:15625372 txqueuelen:0 -----> collisions:15625372
RX bytes:1860824338 (1.7 GB) TX bytes:1606625 (1.5 MB)

 

  1. Output of command 'diagnose sys gre list' shows the collision:


diagnose sys gre list
vd=0 devname=gre-tun1 devindex=43 ifindex=76
saddr=100.100.100.100 daddr=200.200.200.200 rpdb=0 ref=0
key=0/0 flags=0/0 dscp-copy=0 diffservcode=000000
  RX bytes:1856614344 (1770.6 Mb) TX bytes:1606625 (1.5 Mb);
  RX packets:16908665, TX packets:2459, TX carrier_err:1 collisions:15588323
  npu-info: asic_offload=0, enc/dec=0/0, enc_bk=0/0/0/0, dec_bk=0/0/0/0
  rpdb-ver: ffffffff rpdb-gwy: 0.0.0.0 rpdb-oif: 0


This issue has been fixed in FortiOS v7.4.4 (yet to be released).  Note this issue is not observed in FortiOS v7.0.X and v7.2.X. 

Logs required by TAC to investigate on this issue: 

 

diag sys gre list ( run it 5 times) 

fnsysctl ifconfig <gre_tunnel_name> ( run it 5 times) 

diag sniffer packet any " proto 47 or (host x.x.x.x and host y.y.y.y) " 4 100 l   (x.x.x.x --> source_ip , y.y.y.y --->dst_ip)

exec tac report

Configuration file of the FortiGate

253
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.