Symptom
Traffic outage due to incorrect packet forwarding of GRE tunnel packets
"bad" GRE tunnel connections observed with ingress and egress interfaces the same:
UDP gre_outside 10.1.2.1:5001 gre_outside 11.1.2.1:44845, idle 0:00:01, bytes 1, flags -pN1 ====> Corrupt
UDP gre_outside 10.1.2.1:5001 gre_inside 11.1.2.1:37283, idle 0:01:54, bytes 1, flags -pN1
GRE gre_outside 10.1.1.2:0 gre_outside 11.1.1.2:0, idle 0:00:01, bytes 0, flags LN ==============> Corrupt
GRE gre_outside 10.1.1.2:0 gre_inside 11.1.1.2:0, idle 0:01:54, bytes 0, flags LN
Conditions
FTD 6.4.0.9, with GRE inner flow processing enabled and GRE tunnels traversing FTD data interfaces
Workaround
Enable unicast reverse path forwarding (RPF) for relevant data interfaces.
On FTD, this is called "anti-spoofing" and can be configured via FTD interface advanced settings within FTD, per interface.
Config guide reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/regular_firewall_interfaces_for_firepower_threat_defense.html#task_34BB9AC8E91946AB847C65FB79D67A5F
