Page MenuHomePhabricator

GRE tunnel to Cisco router fails in 1.2.0 - works in 1.1.8
Closed, ResolvedPublic

Description

After some research (after an upgrade which stopped working), I have identified an issue where the same config of GRE tunnel between VyOS and a Cisco router (running IOS 15.1) worked with 1.1.8 & fails with 1.2.0.

The VyOS config (from a blank install) is:-

set interface ethernet eth0 address 192.168.99.101/24

set interfaces tunnel tun1 address '172.31.99.101/24'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '192.168.99.101'
set interfaces tunnel tun1 mtu '1476'
set interfaces tunnel tun1 multicast 'disable'
set interfaces tunnel tun1 remote-ip '192.168.99.102'

The Cisco config is:-

interface Tunnel1
 ip address 172.31.99.102 255.255.255.0
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination 192.168.99.101
!
interface FastEthernet0/0
 ip address 192.168.99.102 255.255.255.0
 duplex auto
 speed auto

With 1.1.8 the tunnel comes up on the Cisco end and one can ping both ways. With 1.2.0, it does not come up and the VyOS end repeatedly logs:-

Apr  6 14:37:11 localhost kernel: [  261.542958] IPv4: martian source 192.168.99.102 from 192.168.99.101, on dev tun1
Apr  6 14:37:21 localhost kernel: [  271.541949] IPv4: martian source 192.168.99.102 from 192.168.99.101, on dev tun1

Looking at a PCAP of the packets coming from the Cisco on both versions, I have been unable to spot any difference between them.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201904060337
Why the issue appeared?
Will be filled on close

Event Timeline

matthewr created this task.Apr 6 2019, 3:05 PM
matthewr created this object in space S1 VyOS Public.
matthewr triaged this task as High priority.
pasik added a subscriber: pasik.Apr 10 2019, 2:43 PM

With apologies (not having used Phabricator before), I think I may not have filed this bug report correctly. I also did not intend to "triage" it when filing it, as this should be done by a responsible adult! :-)

Am adding a couple of tags to try to get it to look like other bug reports...

syncer changed the task status from Open to Needs testing.Apr 17 2019, 8:57 PM
syncer assigned this task to zsdc.
syncer lowered the priority of this task from High to Low.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
zsdc added a comment.Apr 18 2019, 9:46 PM

Hello, @matthewr!

Unfortunately, current Linux GRE and network stack implementations don't support Cisco-style of GRE keepalives (GRE inside GRE, with spoofed IP addresses). From the Linux point of view, those packets look like martians, and the kernel drop them, information about what you can see inside a log.
Try to disable the keepalive at the Cisco side, after this tunnel must be fully functional.

syncer closed this task as Resolved.Apr 19 2019, 12:47 AM

@zsdc,

Thank you most kindly for the information. Adding:-

interface tunnel1
 no keepalive

gets the tunnel working correctly. Much appreciated...

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.May 6 2019, 4:54 PM