This example illustrates how to configure a GRE tunnel between a Cisco 881 ISR and ZENs in the Zscaler service. As shown in the figure, two GRE tunnels are configured between the gateway WAN port, fa4, which has a static public IP address, 192.0.2.2, and two ZENs in two different data centers (220.127.116.11 and 18.104.22.168).
Zscaler has assigned the following IP addresses for the GRE tunnels:
The router receives ingress traffic on ports fa0, fa1, fa2 and fa3. They forward Internet traffic to the WAN gateway port, fa4, which uses the GRE tunnel interfaces tunnel 2700 and tunnel 2800 to send the Internet traffic through the GRE tunnel to the Zscaler service. The router performs NAT on the other traffic that it sends directly to the Internet.
Following are the steps and commands that were used to configure the GRE tunnels in this example, from a Cisco 881 ISR router running iOS version 15.1 to ZENs in different data centers. Refer to the Cisco documentation for information about the commands.
The sample configuration shows how to configure the following on two tunnel interfaces (tunnel 2700 and tunnel 2800) on the gateway WAN port FastEthernet4 (fa4). (Note that the tunnel names are arbitrary and you can use different tunnel names in your configuration.):
interface Tunnel2700 ip address 172.18.58.121 255.255.255.252 ip virtual-reassembly ip tcp adjust-mss 1436 tunnel source FastEthernet4 tunnel destination 22.214.171.124 keepalive 5 4 end interface Tunnel2800 ip address 172.18.58.125 255.255.255.252 ip virtual-reassembly ip tcp adjust-mss 1436 tunnel source FastEthernet4 tunnel destination 126.96.36.199 keepalive 5 4 end
In Cisco iOS routers, policy-based routing (PBR) is implemented using route maps.
Note that Cisco routers forward PBR traffic in software instead of hardware, which may lead to CPU spikes. You can use 'ip route' instead of PBR to decrease CPU usage.
The following sample configuration creates an access list that specifies the outbound traffic and defines the route map that sends that traffic over Tunnel 2700 first, then Tunnel 2800:
access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 23 access-list 101 permit tcp any any eq 22 access-list 101 permit udp any any eq 53 access-list 101 permit tcp any any eq 8800 route-map zscaler-tunnel permit 10 match ip address 101 set interface Tunnel2700 Tunnel2800
Note that you can exclude traffic from specific sources from being redirected to the GRE tunnel. The following example excludes traffic from a host (192.168.1.1) from being redirected to the tunnel:
access-list 101 deny ip any host 192.168.1.1 access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443
In this example, we assume that the ingress traffic is received by the router on port fa-0 to fa-3 in VLAN 2. The IP addresses on these ports are assigned by DHCP and their traffic is forwarded to the GRE tunnels 2700 and 2800. NAT is performed on the remaining traffic.
interface FastEthernet0 switchport access vlan 2 ! interface FastEthernet1 switchport access vlan 2 ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 2 ! interface FastEthernet4 description $ES_WAN$ ip address dhcp client-id FastEthernet4 hostname 10.35.3.41 ip access-group 80 in ip access-group 80 out ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ no ip address ip access-group 100 in ip access-group 100 out ip tcp adjust-mss 1436 ! interface Vlan2 ip address 10.65.199.129 255.255.255.128 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1436 ip policy route-map zscaler-tunnel ! ! ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source list NAT interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 10.96.13.254 ! ip access-list extended NAT permit ip 10.65.199.0 0.0.0.255 any deny ip any any ! ! logging esm config access-list 23 permit 10.10.10.0 0.0.0.7 access-list 23 permit 188.8.131.52 0.0.0.7 access-list 23 permit 10.65.199.0 0.0.0.255 access-list 80 permit any access-list 100 permit ip any any access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 23 access-list 101 permit tcp any any eq 22 access-list 101 permit udp any any eq 53 access-list 101 permit tcp any any eq 8800 access-list 120 permit ip any any access-list 180 permit ip 10.0.0.0 0.255.255.255 any no cdp run route-map zscaler-tunnel permit 10 match ip address 101 set interface Tunnel2700 Tunnel2800 !
Configure the IP SLAs to monitor the tunnels. You can set a threshold for HTTP page load times so traffic can switch from the primary to the secondary tunnel when the threshold is exceeded. Zscaler recommends that you use the ZEN IP address as the IP address that is used for monitoring, to ensure that the IP address is reachable and routable through the tunnel.
This SLA is defined as #1 and #2, which may conflict with an existing SLA that uses the same number. If so, we recommend changing the sequence number to avoid conflicts. Additionally, Zscaler recommends that you specify the following URL gateway.zscaler_cloud.net/vpntest. In the example below, the cloud name is zscalertwo.net. For information on how to determine your Zscaler cloud name, see What is my cloud name?
ip sla 1 http raw http://172.18.58.122 timeout 5000 threshold 300 http-raw-request GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n User-Agent: Cisco IP SLA\r\n end\r\n \r\n \r\n \r\n exit ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3 ip sla schedule 1 life forever start-time now track 1 ip sla 1 state delay down 180 up 180 ip sla 2 http raw http://172.18.58.126 timeout 5000 threshold 300 http-raw-request GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n User-Agent: Cisco IP SLA\r\n end\r\n \r\n \r\n \r\n exit ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3 ip sla schedule 2 life forever start-time now track 2 ip sla 2 state delay down 180 up 180
If GRE keepalives are not enabled for the tunnel, Zscaler strongly recommends you configure IP SLAs ICMP Echo operation in addition to the IP SLA HTTP operation. You can set a threshold for the ping reply so that traffic can go through the backup tunnel when the threshold is exceeded. Zscaler recommends that you use the ZEN IP address for tunnel monitoring to ensure that the IP address is reachable and routable through the tunnel.
In this example, the SLA is defined as #3 and #4, which might conflict with an existing SLA using the same numbers. If so, Zscaler recommends changing the sequence numbers to avoid conflicts.
ip sla 3 icmp-echo <Primary Internal ZEN IP> source–interface <Tunnel Interface 1> ip sla schedule 3 life forever start-time now timeout 2000 frequency 5 threshold 500 track 3 ip sla 3 state delay down 25 up 30 ip sla 4 icmp-echo <Backup Internal ZEN IP> source–interface <Tunnel Interface 2> ip sla schedule 4 life forever start-time now timeout 2000 frequency 5 threshold 500 track 4 ip sla 4 state delay down 25 up 30
In this example configuration, a ping is generated every 5 seconds. If there is no ICMP reply within 500 ms, the SLA will fail. A failover will be initiated on five consecutive SLA failures that are after 25 seconds. Zscaler recommends starting with these values and modifying them based on your ISP connection quality.
Following are some sample commands that you can use to monitor and troubleshoot the GRE tunnel.
Ping the Zscaler internal tunnel IP address to validate the tunnel is up and routing is correct.
ping 172.18.58.122 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.18.58.122, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms ping 172.18.58.126 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.18.58.126, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Ensure that the tunnel interface and protocol are up using show int tunnel command as shown below:
show int tun 2800 Tunnel2800 is up, line protocol is up Hardware is Tunnel Internet address is 172.18.58.125/30 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (5 sec), retries 3 Tunnel source 192.0.2.2 (FastEthernet4), destination 184.108.40.206 \ Tunnel Subblocks: src-track: Tunnel2800 source tracking subblock associated with FastEthernet4 Set of tunnels with source FastEthernet4, 19 members (includes iterators), on interface <OK> Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled \ Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output 00:00:02, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5450 packets input, 3690507 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 588861 packets output, 29175729 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out
View the track status.
VPN-test#show track Track 1 IP SLA 1 reachability Reachability is Down 3 changes, last change 00:16:23 Latest operation return code: Timeout Track 2 IP SLA 2 reachability Reachability is Up 2 changes, last change 01:01:27 Latest operation return code: OK Latest RTT (millisecs) 1
View the SLA statistics.
VPN-test#show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 1 Latest RTT: NoConnection/Busy/Timeout Latest operation start time: *02:29:07.511 UTC Sat May 19 2012 Latest operation return code: Timeout Number of successes: 0 Number of failures: 2 Operation time to live: Forever IPSLA operation id: 2 Latest RTT: 1 milliseconds Latest operation start time: *02:29:10.719 UTC Sat May 19 2012 Latest operation return code: OK Number of successes: 2 Number of failures: 0 Operation time to live: Forever
Ensure that the router applies the route-map to the appropriate traffic:
show route-map zscaler-tunnel route-map zscaler-tunnel, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: interface Tunnel2700 Tunnel2800 Policy routing matches: 76258 packets, 17131024 bytes