Local site uplink settings include the option to enable generic routing encapsulation (GRE) tunnel mode. Enable this feature on uplinks that traverse a stateful firewall between appliances.

Without GRE, traffic attempting to switch midstream to an uplink that traverses a stateful firewall might be blocked. This is because firewalls, which typically need to track TCP connection state and sequence numbers for security reasons, may have only partial or no packet sequence numbers, so it blocks the attempt to switch to the secondary uplink and might drop these packets. To traverse the firewall, The most common examples of midstream uplink switching occur when:

The GRE tunnel starts at the local appliance and ends at the remote one. Both appliances must be running RiOS 8.6.x or later. The tunnel configuration is local. The remote IP address must be a remote appliance’s in-path interface and the remote appliance must have path selection enabled. ICMP responses from the remote appliance use the same tunnel from which the ping is received. The remote appliance must also have GRE tunnel mode enabled if the user wants return traffic to go through a GRE as well.

GRE tunneled traffic can be optimized. GRE acceleration supports hub-and-spoke and spoke-to-spoke topologies, up to a maximum of 100 tunnels.

The GRE tunnel must be started and terminated between two routers. In addition, the default route for the appliances should be directed to the WAN. Multiple appliances can be used in a point-to-point tunnel, as long as all of them are inside the tunnel. The following figures show example GRE topologies.

Physical appliance models CX 3080, 5080, 7080 and virtual models on KVM and ESXi platforms support GRE tunnel optimization.

The following features are supported with GRE tunnel optimization:

The following features are not supported:

The following traffic is not optimized with GRE tunnel optimization: