Cómo verificar GRE el funcionamiento del túnel mediante CLI comandos
34243
Created On 06/30/22 16:36 PM - Last Modified 05/09/23 08:16 AM
Objective
Verifique GRE el funcionamiento del túnel mediante Firewall CLI
Environment
- PaloAlto Firewall
- PAN-OS 9,1
- GRE túnel
Procedure
1. Compruebe GRE el estado del túnel:
- Desde el comando de CLI ejecución que se muestra a continuación
- Verifique el campo "estado de la interfaz del túnel". El valor debe ser "Up"
admin@sanwall> show interface tunnel.1
--------------------------------------------------------------------------------
Name: tunnel.1, ID: 261
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 192.168.1.1/24
Interface management profile: N/A
Service configured:
Zone: LAN, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
--------------------------------------------------------------------------------
GRE tunnel name: GRE-to-B
tunnel interface state: Up
disabled: False
copy-tos: False
keep alive enabled: True
local-ip: 10.10.10.1
peer-ip: 10.10.10.2
.....(omitted)....
2. Utilice el comando "show counter global" con flow_gre de filtro (mostrar el valor del filtro global del contador todos | coincidir con flow_gre)- El contador debe mostrar el valor de decap_success y encap_success aumentar cuando se envía tráfico a través del túnel.
admin@sanwall> show counter global filter value all | match flow_gre
flow_gre_ka_recv 0 0 info flow tunnel GRE keep alive received
flow_gre_tunnel_decap_success 2674 0 info flow tunnel GRE Tunnel Decap Success
flow_gre_tunnel_decap_err 0 0 drop flow tunnel GRE Tunnel Decap Error
flow_gre_tunnel_decap_not_found 0 0 drop flow tunnel GRE Tunnel IPs don't match configuration
flow_gre_tunnel_encap_err 0 0 drop flow tunnel GRE Tunnel Encap Error
flow_gre_tunnel_encap_success 2693 0 info flow tunnel GRE Tunnel encap Success
flow_gre_tunnel_disabled 0 0 drop flow tunnel GRE Tunnel Disabled
flow_gre_tunnel_owner_ack 0 0 info flow tunnel owner ack received from FPP
flow_gre_tunnel_owner_nack 0 0 warn flow tunnel owner nack received from FPP
3. Compruebe el registro del sistema:
- Ejecute "show log system" con el filtro del nombre del túnel. El túnel debe estar arriba sin solapas. (las solapas se muestran a continuación)
admin@sanwall> show log system object equal GRE-to-A
Time Severity Subtype Object EventID ID Description
===============================================================================
2022/07/01 06:49:53 critical gre GRE-to tunnel- 0 Tunnel GRE-to-A is going down
2022/07/01 06:51:11 critical gre GRE-to tunnel- 0 Tunnel GRE-to-A is going up
4. Revisa la GRE sesión
- Filtrar mediante el protocolo de filtro de sesión 47
- Buscar la sesión y filtrar por sesión ID ID
- Verifique el valor del "túnel de terminación de sesión" que debe ser "True" y verifique la interfaz de entrada y salida
admin@sanwall> show session all filter protocol 47
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
55601 gre ACTIVE FLOW 10.10.10.2[20033]/LAN/47 (10.10.10.2[20033])
vsys1 10.10.10.1[20033]/LAN (10.10.10.1[20033])
admin@sanwall> show session id 55601i >>> id number varies in each
Session 55601
c2s flow:
source: 10.10.10.2 [LAN]
dst: 10.10.10.1
proto: 47
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.10.10.1 [LAN]
dst: 10.10.10.2
proto: 47
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Fri Jul 1 06:50:24 2022
timeout : 1200 sec
time to live : 1193 sec
total byte count(c2s) : 364464
total byte count(s2c) : 128018
layer7 packet count(c2s) : 5593
layer7 packet count(s2c) : 2783
vsys : vsys1
application : gre
rule : vsys1+intrazone-default
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
session terminate tunnel : True
captive portal session : False
ingress interface : ethernet1/2
egress interface : tunnel.1
session QoS rule : N/A (class 4)
end-reason : unknown