I'm currently debugging an issue where GRE traffic is dropped at the firewall even with explicit rules to allow forwarding from WAN to LAN as well as input to the device. I've also created rules to allow all IP traffic from the source IP to make sure that nothing blocked it. Packet captures of the WAN interface show GRE protocol traffic is received but then responded to with ICMP destination unreachable. I do not see the traffic reach the LAN interface. This causes my client VPN to fail its connection.
To troubleshoot, I verified that all nathelper and GRE kernel modules are installed and verified the conntrack helpers are showing in iptables RAW table. I can post pcaps if need be.
Has anyone seen this issue occur? The build is from a trunk snapshot from a few days prior. Any help you can give will be much appreciated.