The users can't reach the LAN interface of USG6650 from the GRE tunnel interface case

Publication Date:  2014-11-29 Views:  307 Downloads:  0
Issue Description
The customer wants to ping and telnet USG6650 LAN interface IP address from remote side  via GRE tunnel interface, but he both ping and telnet are failed. 

The network topology is shown:
Alarm Information
None
Handling Process
Firstly,To check basic configuration of USG6650, such as security-policy, if interface has been added to zone and so on.
After checked, all basic configuration seems like correct.
And then,when do the ping test, I check the firewall sessions on the USG6650 firewall by using following commands:

[USG6600]display firewall session table verbose destination inside  172.17.142
[USG6600]display firewall session table verbose destination global 172.17.142
[USG6600]display firewall session table verbose


I didn’t see any sessions about this ping test.
I consider maybe didn’t permit related protocols (ping、telnet) under the LAN interface, and I check the configuration:

interface GigabitEthernet1/0/0
alias LAN
ip address 172.17.142.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit 

From the above configuration, these protocols have been configuration under the LAN interface.
But at the same time, I find that the protocols(ping、telnet) didn’t be permited under the GRE tunnel interface as following:

interface Tunnel0
alias to_HQ_WAN_1_PRIMARY
ip address 10.17.142.2 255.255.255.252
tunnel-protocol gre
source xx.xx.41.246
destination xx.xx.23.234
gre key 123
gre checksum

This missing maybe is the root cause of this problem. Because the traffic is from remote side via GRE tunnel 0. So need to permit these protocols under the entered interface. I configue these commands as following:

interface Tunnel0
alias to_HQ_WAN_1_PRIMARY
ip address 10.17.142.2 255.255.255.252
tunnel-protocol gre
source xx.xx.41.246
destination xx.xx.23.234
gre key 123
gre checksum
service-manage ping permit
service-manage telnet permit  
  

After configured above commands, we can ping and telnet the LAN interface now, the problem is resolved.
Root Cause
The root cause is that don’t permit the ping and telnet protocols under the entered interface GRE tunnel interface.
Solution
The solution is to permit ping and telnet protocols under the GRE tunnel interface. 

END