Hello,<br />
<br />
I mantain a "fleet" of CentOS 6.4/6.5 NAT gateways that run Shorewall firewalls and various GRE tunnels (VPNs) between them, over the Internet.<br />
<br />
The ip_gre kernel module is loaded for establishing the GRE tunnels.<br />
<br />
In at least three cases (three pair of gateways), the VPN tunnel suddenly ceased to work after upgrading the kernel from 2.6.32-358.23.2.el6.x86_64 to 2.6.32-431.el6.x86_64 (stock kernels, as provided in binary distro) on one of the participating gateways.<br />
<br />
The quick fix was to reboot with the old kernel (2.6.32-358.23.2) via /boot/grub/grub.conf<br />
<br />
<br />
When the tunnel is not working, the virtual GRE interface (tunnel endpoint) goes up, private IP address is assigned to it, but no network traffic is possible between the two point-to-point tunnel endpoints.<br />
<br />
Firewall log does not record any blocked packet.<br />
<br />
The GRE tunnel goes up and running again by simply rebooting the machine with the 2.6.32-358.23.2.el6.x86_64 kernel (or older).<br />
<br />
In some cases, one CentOS machine works as an endpoint for many GRE VPNs, via *different* GRE virtual interfaces. Even if all of them are configured in an identical way, some of the GRE interfaces continue to work after upgrading the kernel, some don't.<br />
<br />
<br />
Thanks!<br />
<br />
<br />
Best regards,<br />
R?zvan
↧