Troubleshooting GRE

Use this playbook when GRE tunnels are down or degraded.

Common symptoms

• Network transport default shows GRE but effective tunnel status remains disabled.
• Gateway is ready but tunnel counters (rxBytes/txBytes) stay at zero.
• Runtime status remains pending after desired-state change.

Checks in Dashboard

1. Tunnels: confirm effective protocol is GRE and inspect endpoint/device pairing.
2. Gateway details: check runtime status and health reasons.
3. Network runtime status: verify routing/dns apply state is not error.

Checks on gateway host

ip -d link show type gre
ip -s link show type gre
ip route show
iptables -S NANAMI_GW_FORWARD

Frequent failure modes

Missing or invalid remote endpoint

• Symptom: tunnel interface not created or stays down.
• Fix: ensure peer endpoint is resolvable/reachable and correctly formatted.

GRE underlay blocked

• Symptom: no traffic counters, persistent disabled status.
• Fix: allow GRE protocol traffic in underlay/firewall path.

Expected encryption mismatch

• Symptom: security review flags cleartext transport.
• Fix: use WireGuard instead, or add encrypted underlay (for example IPsec).

Mixed protocol assumptions

• Symptom: operator expects WireGuard runtime semantics from a GRE transport default.
• Fix: verify the network transport default, then use effective tunnel/runtime protocol diagnostics for the active path.

API diagnostics

curl -sS "$API_URL/api/v1/tunnels"
curl -sS "$API_URL/api/v1/networks/<network-id>/runtime-status"

Look for:

• protocolType: "gre"
• runtimeState.status: applied|pending|unknown
• gateway health reasons in realtime/status APIs.