GRE tunnel down due to recursive routing

GRE tunnel down due to recursive routing

7164
Created On 01/03/25 17:51 PM - Last Modified 10/17/25 13:28 PM


Symptom


  • System logs report a critical event for GRE tunnel interface down with recursive routing :  
    admin@syadav-vm-1-vm-100> show log system direction equal backward subtype equal gre
cmd#00008 2023-04-06 16:32:39 (show log system direction equal backward subtype equal gre)
Time                Severity Subtype Object EventID ID Description
===============================================================================
2023/04/07 00:29:27 critical gre     gre-tu tunnel- 0  Tunnel intf: tunnel.1 is going down due to recursive routing


Environment


  • GRE Tunnel configured
  • Palo Alto Networks Firewall

Cause


The most common reason for this error is that the route to the GRE peer resolves through the GRE tunnel interface itself.

Resolution


  1. Verify the Routing Table Entry for the GRE Peer: Use the following command to check if the route to the GRE peer is resolving via the GRE tunnel interface:  
    > test routing fib-lookup virtual-router <name-of-virtual-router> ip <IP-address-of-GRE-peer>
    If the output shows that the next hop for the GRE peer's IP address is the GRE tunnel interface, it confirms that this is the cause of the recursive routing issue. 
  2. Configure or edit the Route, Static Route, or PBF Policy-Based Forwarding Rule: Ensure that the route to the GRE peer resolves through a physical interface or another tunnel, not via the GRE tunnel itself.
  3. Validate changes: After making changes, recheck the routing for the GRE peer using the  
    > test routing fib-lookup virtual-router <name-of-virtual-router> ip <IP-address-of-GRE-peer>
     command to confirm that the next hop does not resolve to the GRE tunnel interface.
  4. Monitor the Tunnel Status: Monitor the Tunnel Status: Confirm that the GRE tunnel interface status changes to UP by monitoring the interface status in the GUI or CLI:  
    > show interface tunnel.<tunnel number>

Additional Information


If routing is properly configured and your firewall is in HA active/passive check if it is hitting this issue:
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Release versions with the fix: 10.1.9, 10.2.4, 11.0.5 and later releases.

Additionally, for older PAN-OS versions check if hitting issue:
PAN-179413
Fixed an issue where GRE tunnels flapped during commit jobs.
Release versions with the fix: 10.0.10, 10.1.5, and later releases.

 

For more details on configuring a GRE tunnel refer to Configuring GRE tunnel between PaloAlto Firewalls.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEkOCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language