Troubleshooting 'GRE: Protocol not available' errors
6/07/2005
This article is designed to help troubleshoot the following error and other similar protocol 47(GRE) errors:
"GRE: read(fd=7,buffer=8056b60,len=8260) from network failed: status = -1 error = Protocol not available"
Below is a list of the most common causes I came across during my research on these errors.
#1. Client firewall:
-
Make sure your client is not running a software firewall. If it is make sure port 1723 and protocol 47 are allowed.
Many consumer grade routers have PPTP passthrough disabled by default. On Linksys brand routers there is a section in configuration called 'Filters' that you have to change.
#2. Server firewall
-
Make sure your PPTP server can recieve a connection on port 1723 and that protocol 47 is being allowed or forwarded.
If your PPTP server has iptables running
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
or if your PPTP server is behind a machine running iptables
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to SERVER_IP
iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to SERVER_IP
#3. Protocol 47 NOT port 47
-
This is a simple but extremely common problem. Do not get port 47 confused with protocol 47. Opening port 47 on your firewall is not the same as allowing protocol 47 or gre.
#4. Patching kernel and recompiling.
-
If you are running ipchains with nat you may find that after trying all the above you still get and error. More than likely you are going to need to patch the kernel source and the iptables source and recompile both. This is a bit more difficult than it sounds due to lack of good documentation. Here are the steps as follows:
1. Download and install your kernel source.
2. Download and install the iptables source.
3. Download the newest patch-o-matic.
4. Uncompress patch-o-matic. Run './runme pptp-conntrack-nat' making sure the kernel and iptables source directories are correct.
5. Configure and recompile your kernel, making sure to enable GRE under 'Device Drivers-->Networking Support-->Networking Options-->Network packet filtering (replaces ipchains)-->IP-->GRE Protocol'
6. After booting the new kernel run 'make' on the iptables source. You should recieve a error similar to the error below. If you don not recieve the error below you are compiling against the wrong kernel headers and need to resolve this by running make with 'KERNEL_DIR=/usr/src/linux'.
Extensions found: IPv4:recent IPv6:ah IPv6:esp IPv6:frag IPv6:ipv6header
IPv6:hbh IPv6:dst IPv6:rt
cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/
-DIPTABLES_VERSION=\"1.3.1\" -fPIC -o extensions/libipt_ah_sh.o -c
extensions/libipt_ah.c
In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26,
from include/libiptc/libiptc.h:6,
from include/iptables.h:5,
from extensions/libipt_ah.c:8:
/usr/src/linux/include/linux/config.h:6:2: #error including kernel
header in userspace; use the glibc headers instead!
make: *** [extensions/libipt_ah_sh.o] Error 1
Look for the line containing something similar to
'/usr/src/linux/include/linux/config.h:6:2: #error including kernel'
Edit the file it is pointing to a remove or comment out the following lines:
#include
#if !defined (__KERNEL__) && !defined(__KERNGLUE__)
#error including kernel header in userspace; use the glibc headers instead!
#endif
#endif
Run 'make' again followed by 'make install'. Modprobe 'ip_nat_proto_gre' and 'ip_nat_pptp'. Make sure you have the appropriate rules for iptables setup as per #2. Rerun your firewall script or restart the iptables service.
Additional Resource:
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#read_eproto
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-conntrack-nat
| |
 |