Hello

Usually I configure GRE tunnels between Cisco and Cisco but now I have to do it between Cisco and Mikrotik , normally on Cisco I use

keep alive 5 4

But how to do it on Mikrotik ?

Please I need your help


Best Regards

No idea what the 5 and 4 mean on Cisco, however on Mikrotik, you add keepalive=interval,count as parameters on the /interface gre row. interval specifies how often to send the keepalive packets, count tells how many of them must fail in order that the interface was considered down. The default is 10s,10.

But there are other caveats with GRE on Mikrotik:

• after some security patch in 6.45.something, received GRE packets are labelled with connection-state=invalid before they can reach a permissive rule (even if the Mikrotik sends its own GRE packets in the opposite direction); until this gets resolved, you have to modify the action=drop connection-state=invalid rule in the default firewall with protocol=!gre to prevent it from dropping all received GRE packets prematurely
• the GRE keepalive packet carries a pre-cooked response GRE packet as its payload (so that no dedicated code for keepalive responses was necessary at the recipient of the keepalive). Hence tight firewall rules may prevent such a pre-cooked response packet from being delivered, as its in-interface is the GRE one to which the keepalive came, and its out-interface is (typically) the WAN one, i.e. they are forwarded packets, not ones sent by the device itself. So your firewall must permit such packets to be forwarded (something like chain=forward in-interface-list=all-gre out-interface-list=WAN protocol=gre action=accept). all-gre is not a pre-defined interface list, you must create and maintain it on your own. This has nothing to do with the point above, i.e. there is nothing to "fix" about it.

Thanks Sindy for the answer

5 4 means 5 = seconds = 4 retries

Can anyone help me how to configure on GUI ? Please


Best Regards

If you can use command line on Cisco, why the same scares you on Mikrotik? You can easily translate the command line hierarchy of items to the GUI hierarchy, it is at most places 1:1.

/interface gre
add remote-address=the.cisco.ip.address keepalive=5s,4 name=gre-to-cisco disabled=yes

/interface list
add name=all-gre

/interface list member
add list=all-gre interface=gre-to-cisco

/ip firewall filter
set [find chain~"input" action~"drop" connection-state~"invalid"] protocol=!gre
add chain=forward in-interface-list=all-gre prototol=gre out-interface-list=WAN action=accept

You have to place the second rule to the proper place among other rules in the firewall filter (somewhere right after the action=accept connection-state=established,related,untracked one if you use the default firewall). If you want a more precise suggestion, you have to post the export of your current configuration.

If the GRE tunnel doesn't come up, disable it for more than 10 minutes at both the Mikrotik and the Cisco, and then enable it again.

Thanks Sindy