What To Do When A GRE Network Tunnel Goes Down?
What is GRE Tunnel:
A virtual private network connection over the Internet is also known as a GRE tunnel. The purpose of this connection is to provide remote users with secure access to the organization’s network resources.
A company may have multiple branches located in different geographical regions, but they are all one single physical network. ISPs limit which hosts can communicate with each other through IP address traffic filtering. A VPN or Virtual Private Network enables you to send data securely from one location on the internet to another location by using encryption and encapsulating the data packets so that it cannot be decoded between sites without authorization credentials. To set up a VPN, you need an ISP (internet service provider) account on your end and on your destination site for protocol (IPSec, PPTP etc) and their VPN equipment.
Working of GRE:
GRE Tunnel is a communication channel or tunnel created between two endpoints using Generic Routing Encapsulation (GRE) protocol to exchange data packets with each other. GRE builds a virtual point-to-point link to create layer 3 tunnel through an intermediate network that the traffic transverses when it passes from source host to destination host across VPN. This tunnel can be used to communicate between servers in different locations even if the locations are separated by routers which do not allow direct IP datagram communications because of policy configurations, security constraints etc. GRE tunnels are also known as Virtual Private Network over Internet Protocol Security (VPIoIP). The main advantage of this type of connection is that it provides secure access for remote users with a private network.
Typically, GRE tunneling is most useful when one or both of the endpoints need to pass through a device which cannot allow direct IP traffic without restrictive security policies. If a branch office needs access to a central server in another location but it has limited access to external networks due to security constraints, then this type of connection comes in handy. In such cases organizations typically use IPSec protocol for encryption and authentication at each end of the VPN before encapsulating the data packets into the GRE tunnel using GRE protocol.
What happens when it’s down?
When GRE tunnels go down, it is up to the service provider’s choice on whether they want to send ICMP unreachable messages or not. In most cases, GRE over IPSec tunnels will be configured with a static route that has a higher administrative distance [AD] then RIP . This means that when an interface goes down, the router will prefer the other interfaces even if the one going down was physically connected to a better neighbor.
If this happens, you may wonder what you can do?
The best thing for you would be to contact your service provider and ask them why this happened and make sure everything is working properly. If they deny any errors or simply don’t respond back in time, you should probably start looking for another service provider.
If you are confident that the problem is not with the service provider side, you should go ahead and check if the GRE protocol has any errors. To do this, use your favorite command line interface to type in “show ip interface brief”. If everything seems fine, but still there is no connectivity, run a more detailed show which includes ICMP unreachable messages for each interface. This means you will need to type in “show ip protocols” and then type in either of these two commands: “show interfaces status” or “show ip route”. Once again, if nothing pops up then it’s probably time for you to call your service provider’s tech support department and ask them what could be done on their end to fix this problem.
How to fix it?
If there are no errors on your GRE tunnel then you will need to figure out the best way of making sure that the problem is not with both ends. Perhaps even check if it is just one of the two sites experiencing connectivity problems. If you suspect that it is only one site, try connecting directly via an Ethernet cable or DSL modem and see if this fixes the problem. If so, then perhaps it’s time for them to update their firmware or simply ask them to configure another interface on their router/firewall which has a direct physical connection to the internet instead of using a software based VPN client (such as IPSec).
Once again, if everything seems fine when you connect directly with your PC, then perhaps it’s time for you to contact your service provider’s tech support department and ask them what could be done on their end to fix this problem.
Even though there are many benefits of using GRE over IPSec tunnels, they can also be problematic to set up and get working properly. The main reason for this is the way that certain routers handle routing tables when an interface goes down. While companies like Cisco have year’s worth of experience in making networks run smoothly, other service providers may not be so lucky.
This article provided you with insight on how things work when a GRE tunnel goes down.
Since there are a lot of factors which could lead to connectivity problems, the best thing for you would be to contact your service provider and ask them what they can do about it. If they don’t have an answer for this question, you should probably start looking for another job or simply look for some other type of internet connection.