Verify GRE tunnel opereation using Firewall CLI
PaloAlto Firewall
PAN-OS 9.1
GRE tunnel
From CLI run command shown below
Verify "tunnel interface state" field. The value should be "Up"
admin@sanwall> show interface tunnel.1
--------------------------------------------------------------------------------
Name: tunnel.1, ID: 261
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 192.168.1.1/24
Interface management profile: N/A
Service configured:
Zone: LAN, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
--------------------------------------------------------------------------------
GRE tunnel name: GRE-to-B
tunnel interface state: Up
disabled: False
copy-tos: False
keep alive enabled: True
local-ip: 10.10.10.1
peer-ip: 10.10.10.2
.....(omitted)....
The counter should display value of decap_success and encap_success increase when traffic is being sent through the tunnel.
admin@sanwall> show counter global filter value all | match flow_gre
flow_gre_ka_recv 0 0 info flow tunnel GRE keep alive received
flow_gre_tunnel_decap_success 2674 0 info flow tunnel GRE Tunnel Decap Success
flow_gre_tunnel_decap_err 0 0 drop flow tunnel GRE Tunnel Decap Error
flow_gre_tunnel_decap_not_found 0 0 drop flow tunnel GRE Tunnel IPs don't match configuration
flow_gre_tunnel_encap_err 0 0 drop flow tunnel GRE Tunnel Encap Error
flow_gre_tunnel_encap_success 2693 0 info flow tunnel GRE Tunnel encap Success
flow_gre_tunnel_disabled 0 0 drop flow tunnel GRE Tunnel Disabled
flow_gre_tunnel_owner_ack 0 0 info flow tunnel owner ack received from FPP
flow_gre_tunnel_owner_nack 0 0 warn flow tunnel owner nack received from FPP
Run "show log system" with the filter of tunnel name. The tunnel should be up with no flaps. (flaps shown below)
admin@sanwall> show log system object equal GRE-to-A
Time Severity Subtype Object EventID ID Description
===============================================================================
2022/07/01 06:49:53 critical gre GRE-to tunnel- 0 Tunnel GRE-to-A is going down
2022/07/01 06:51:11 critical gre GRE-to tunnel- 0 Tunnel GRE-to-A is going up
Filter by using session filter protocol 47
Find the session ID and filter for session ID
Verify "session terminate tunnel" value which must be "True" and verify ingress and egress interface
admin@sanwall> show session all filter protocol 47
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
55601 gre ACTIVE FLOW 10.10.10.2[20033]/LAN/47 (10.10.10.2[20033])
vsys1 10.10.10.1[20033]/LAN (10.10.10.1[20033])
admin@sanwall> show session id 55601i
>>> id number varies in each
Session 55601
c2s flow:
source: 10.10.10.2 [LAN]
dst: 10.10.10.1
proto: 47
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.10.10.1 [LAN]
dst: 10.10.10.2
proto: 47
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Fri Jul 1 06:50:24 2022
timeout : 1200 sec
time to live : 1193 sec
total byte count(c2s) : 364464
total byte count(s2c) : 128018
layer7 packet count(c2s) : 5593
layer7 packet count(s2c) : 2783
vsys : vsys1
application : gre
rule : vsys1+intrazone-default
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
session terminate tunnel : True
captive portal session : False
ingress interface : ethernet1/2
egress interface : tunnel.1
session QoS rule : N/A (class 4)
end-reason : unknown