Community discussions

MikroTik App
 
Romell
just joined
Topic Author
Posts: 13
Joined: Fri Aug 28, 2020 4:21 pm

Mikrotik and Cisco Router GRE Tunnel Problem

Thu Jan 14, 2021 11:19 am

Hello ,

I've posted a problem about the GRE tunnel between Mikrotik and Cisco router that has a problem which is Keep a live problem

I mean when I configure Keep alive on both sides the tunnel is going down and when I remove the keep alive the tunnel is up and running !!

I really need to know what are the reasons for this problem ?? I mean the possibilities Please I really need your help


Best Regards
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Thu Jan 14, 2021 3:28 pm

I wonder why you open a new topic rather than continuing in the existing one. Your last post there was just "thank you", so I've expected it started to work.

Without the keepalive, the system (doesn't matter whether Cisco IOS or Mikrotik RouterOS) cannot know whether the transport packets of the tunnel can get through or not, so it always reports the tunnel interface as up even if no transport packets are coming. So when you say "tunnel is up and running", does it mean that you've tested that you can actually use it or it's just that the devices report the tunnel interfaces as being up? The direction of further investigation depends on this answer.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Romell
just joined
Topic Author
Posts: 13
Joined: Fri Aug 28, 2020 4:21 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Thu Jan 14, 2021 5:26 pm

I'm so sorry Sindy

Actually I meant the tunnel is up and running means it's ok and I can ping but once I configure the keep alive on both sides the tunnel is going down !!

I can't figure where is the problem !! how can I know where to search I mean the firewall !! I don't know



and sorry again for open a new post
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Thu Jan 14, 2021 6:30 pm

Actually I meant the tunnel is up and running means it's ok and I can ping
Good, so the only issue is the handling of keepalive packets.

I can't figure where is the problem !! how can I know where to search I mean the firewall !! I don't know
I'll summarize again - the way how GRE keepalive works, it needs no special algorithm on the remote side. The sender of the keepalive packet prepares the response, which is a GRE packet the remote side would send if it was to encapsulate an empty payload, and sends that response as a payload of its own GRE packet. So the whole keepalive request packet looks as follows (simplified):
from:A.A.A.A to:B.B.B.B type:GRE payload:{from:B.B.B.B to:A.A.A.A type:GRE payload:{}}
The recipient handles such a packet exactly the same way it would handle any other GRE packet coming from the peer - it extracts the inner GRE packet and forwards it to its destination, which happens to be the sender of the keepalive request packet.

Now on Mikrotik, a different path through the firewall is used for packets generated by the router itself and for packets received from somewhere else, which the router is just forwarding. So if a payload packet coming in via some in-interface is routed via a GRE tunnel, it is is handled by firewall chain forward and its out-interface is the GRE interface; the GRE packet into which that payload one gets encapsulated is sent by the router itself (so it has no in-interface defined), and is handled by firewall chain output.

So whereas the keepalive request packet is handled by chain output, the keepalive response packet is handled by chain forward.

On Cisco, the philosophy of the firewall is different, and I don't know it good enough to suggest anything.

But if you enable the keepalive only at Cisco side, you can make the command line window at Mikrotik side as wide as your screen allows and run /tool sniffer quick interface=the-gre-interface-name ip-protocol=gre in it, and it should show you packets with come in via the GRE interface and have a source address of the Mikrotik itself, and a destination address of the Cisco - these are the "prepaid" keepalive responses. If you add the cisco-facing interface name to the interface list in that command (so it will say interface=the-gre-interface-name,cisco-facing-interface-name), you should see the keepalive request to arrive through the cisco-facing one, the keepalive response coming in via the GRE interface, and the same response leaving through the cisco-facing one. If the second item on this list is missing, the decapsulation doesn't work which is unlikely; if the third one is missing, the firewall at Mikrotik side blocks it, or you use some policy routing which causes the response to be misrouted.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Romell
just joined
Topic Author
Posts: 13
Joined: Fri Aug 28, 2020 4:21 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Thu Jan 14, 2021 11:52 pm

Hey Sindy thank a lot for all of these information

The problem is I have the whole configuration from both sides Mikrotik and Cisco router but the problem there are a lot of configuration on Mikrotik router but I can see the whole configuration related to the gre tunnel between Cisco router and Mikrotik and I think the problem is in the firewall

I did like a simulation on my local machine for a virtual router for both mikrotik and cisco and the tunnel is work perfect but when I try to do it on a real setup using public IPS between Mikrotik and cisco the tunnel is down when I configure keep alive
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Thu Jan 14, 2021 11:55 pm

Have you tried the sniffing as suggested above in the real life case? What did it show? Do both machines have public IP on themselves or is there some NAT between them?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Romell
just joined
Topic Author
Posts: 13
Joined: Fri Aug 28, 2020 4:21 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 12:03 am

They have public IPS , I didn't try sniffing because I have to make an appointment with the customer because he is not allowing me to take the full control

I wished I could contact you directly , honestly tomorrow I'm going to copy the configuration on my local machine to see if the tunnel is going to be down it's a big problem a actually if I have the router myself I could do it by myself or at least try to solve it
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 7:33 am

I'm not sure what the direct contact to me should change given that you don't have unlimited access to the routers. What are your expectations?

Can you at least export the configuration to see what the firewall looks like?

Do I read you right that the tunnel runs between public IP addresses of the routers with no encryption?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Dec 29, 2017 12:23 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 10:08 am

So whereas the keepalive request packet is handled by chain output, the keepalive response packet is handled by chain forward.
Forward to what? I'd expect keep-alive response ending up in input chain
 
Romell
just joined
Topic Author
Posts: 13
Joined: Fri Aug 28, 2020 4:21 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 10:37 am

I'm not sure what the direct contact to me should change given that you don't have unlimited access to the routers. What are your expectations?

Can you at least export the configuration to see what the firewall looks like?

Do I read you right that the tunnel runs between public IP addresses of the routers with no encryption?
Yes just a simple GRE tunnel not IPSEC or anything else I will put the configuration of the mikrotik router hoping I can found a solution
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 10:44 am

Forward to what? I'd expect keep-alive response ending up in input chain
At the device which has received the keepalive request, the "pre-cooked" keepalive response extracted from the request is forwarded from its in-interface, which is the GRE tunnel beeing keepalived itself, to some out-interface, which is the gateway interface facing towards the remote GRE peer.

Of course, at the device which has sent the keepalive request, the keepalive response is handled by input chain. But as the response is an ordinary GRE transport packet coming from the address to which the keepalive request has been previously sent (except that it has an empty payload), it is normally handled by the action=accept connection-state=established,related rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Dec 29, 2017 12:23 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 8:07 pm

At the device which has received the keepalive request, the "pre-cooked" keepalive response extracted from the request is forwarded from its in-interface, which is the GRE tunnel beeing keepalived itself, to some out-interface, which is the gateway interface facing towards the remote GRE peer.
I figure the GRE keep-alive requests ends up in <local in> <router processes> , in the rectangle on the right in:
https://wiki.mikrotik.com/images/thumb/ ... _a.svg.png
Then the CPU creates the GRE keep-alive response , which loops once through all lower blocks to get encapsulated, and then is sent outbound. This without ever traversing iptables forward chain
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik and Cisco Router GRE Tunnel Problem

Fri Jan 15, 2021 9:36 pm

I figure the GRE keep-alive requests ends up in <local in> <router processes> , in the rectangle on the right in:
https://wiki.mikrotik.com/images/thumb/ ... _a.svg.png
Then the CPU creates the GRE keep-alive response...
That would be true if the header of the GRE keepalive request packet contained some distinctive bit that would make the protocol stack distinguish it from ordinary GRE transport packets and handle it in a dedicated branch of an algorithm, resulting in local generation of a response packet.

But the reality is that there is no difference between the GRE keepalive request packet and ordinary GRE transport packets except that the payload of the keepalive request is the keepalive response prepared by the keepalive request sender. The idea behind this is that responding to a keepalive request requires zero additional effort from the recipient of the request, it is enough that it handles it like any other received GRE packet.

I.e. the received GRE transport packet reaches the <decapsulate?> decision block in the top right corner of the diagram you refer to, goes north-west to the /decapsulate/, the decapsulated payload emerges from the (logical interface) to the left, and through several decision block it arrives to point (I), where the routing finds out that the destination address is none of the router's own ones, so it sends the packet down the =forward> path to point (L).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], LemonteaGrapesoda, Znevna and 179 guests