Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

huzer's avatar
huzer
Icon for Nimbostratus rankNimbostratus
Mar 03, 2026
Solved

GRE Tunnel Issue

Has anyone run into an issue with GRE tunnels on a BIG-IP? I have a few setup running into a TGW in AWS and something seems to break them. Config change, Module change, ?? I haven't been able to pin down an exact trigger. Sometimes I could failover and have the tunnels on the other HA member work fine and failing back would results in tunnels going down again. (The tunnels are unique to each BIG-IP) They start responding with ICMP protocol 47 unavailable. Once this happens a reboot doesn't seem to fix it. If I tear down the BIG-IP and rebuild it, I can keep them working again for X amount of time before the cycle repeats. Self-IPs are open to the protocol, also tried allow all for a bit. No NATs involved with underlay IPs. 

  • huzer's avatar
    huzer
    Mar 06, 2026

    In case someone stumbles across this article in the future: TGWs in AWS utilize ECMP and as of this writing you're unable to turn that off. We were experiencing asymmetric routing as a packet destined to AWS was being sent out one VLAN and returned via a different VLAN. It was visible in the traffic capture but I was hung IP on the ICMP response due to traffic returning on the wrong VLAN where there wasn't a listener. 

    All credit to F5 support as they found the issue. 

3 Replies

  • Juergen_Mang's avatar
    Juergen_Mang
    Icon for MVP rankMVP
    Mar 03, 2026

    I have also had problems in the past with GRE tunnels. My fix was removing the GRE Tunnels and use a router for the tunnels.

  • huzer's avatar
    huzer
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2026

    In case someone stumbles across this article in the future: TGWs in AWS utilize ECMP and as of this writing you're unable to turn that off. We were experiencing asymmetric routing as a packet destined to AWS was being sent out one VLAN and returned via a different VLAN. It was visible in the traffic capture but I was hung IP on the ICMP response due to traffic returning on the wrong VLAN where there wasn't a listener. 

    All credit to F5 support as they found the issue. 

    • LiefZimmerman's avatar
      LiefZimmerman
      Icon for Admin rankAdmin
      Apr 06, 2026

      huzer​ - thank you for taking the time to return and share your resolution.
      Community quality depends on members who share, as you did here, their problems and solutions.
      Thank you. 

      I've taken the liberty, based on your reply, of marking your reply as the solution.
      If that is incorrect let me know, or you may un-mark it yourself at any time.