For details on cookie usage on our site, read our Privacy Policy
GRE Tunnel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
GRE Tunnel
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-10-2022 05:28 AM - edited 06-10-2022 05:36 AM
Hi,
I've been trying to create GRE Tunnels to connect with Zscaler. It works and I can see traffic flow through but the tunnels keep going down after about 5 minutes. What should I be watching out for?
Thanks!
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-10-2022 04:35 PM
Thank you for the post @smshafek
could you confirm what error it throws on Zscaler side when it goes down? Navigate to: ZIA > Analytics > Tunnel Insights > Logs, then check Tunnel Status and Event Reason (Make sure that these options are enabled in view):
Have you enabled GRE keepalive in Palo Alto side?
Kind Regards
Pavel
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-13-2022 02:01 AM
Hi @PavelK
it shows for both tunnel status and event reason none and none.
Yes, I have enabled GRE keepalive in Palo Alto. I've created two tunnel interfaces, set up the GRE Tunnels for the two interfaces, enabled NAT and policy based forwarding. Do I have to add a next hop in the policy based forwarding? And which IP Address should I enter for tunnel monitoring?
Thanks!
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-13-2022 04:17 PM
Thank you for reply @smshafek
if it shows "none" in the Insights Logs, then there is no way to drill down more details from Zscaler portal. The official answer from Zscaler is to open a support ticket and troubleshoot it in real time with support staff.
Would it be possible to check system logs on Palo Alto side: (subtype eq gre) ?
Regarding your question, from my point of view since GRE tunnel is point to point, it is not must to add next hop along with egress interface, however a sample configuration from Zscaler has next hop set: https://community.zscaler.com/t/gre-tunnel-from-palo-alto-firewall/8024/2 so it will not hurt to add it to PBF. Regarding the monitoring, I would target the next hop IP address (Internal ZIA Public Service Edge IP).
Kind Regards
Pavel
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 01:40 AM
Hi Pavel,
it shows in the system logs critical and "Tunnel GRE-ZSC is going down" for both tunnels. I've also configured policy based forwarding and in the system logs it shows "Vsys 1 PBF rule GRE-ZSC nexthop is going down".
I'm not sure how I should continue with troubleshooting from here.
Thanks again!
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-15-2022 03:21 AM
Thank you for reply @smshafek
from what you described, your configuration looks fine. I am sorry, I am running out of ideas.
When the GRE tunnel goes down are you able to ping from the interface that is used to build tunnel the Zscaler's PSE IP address? If it is reachable and you do not have any connectivity issue, I would open a ticket with Zscaler.
Kind Regards
Pavel
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
- VPN Traffic not match configured policy hitting default trust to Untrust in General Topics
- IPSec Phase 1 tunnel not connecting in General Topics
- Tunnel Monitoring in General Topics
- VM Series FW - Traffic from Cloudflare in VM-Series in the Public Cloud
- GWLB deployment challenge in VM-Series in the Public Cloud
