GRE tunnel TTL number

networking gre

TTL stands for Time to Live. It is a field present in the IP packet header. The value is initially set by the sender, often to 64, and decremented by one by every router. When it reaches 0 without before reaching the final destination, the router drops the packet and sends an ICMP Time Exceeded message back to the original source. This TTL processing is important to prevent unroutable IP packets from being forwarded forever on an IP network, consuming resources.

Traceroute uses this TTL behavior to figure out what hops and how many hops (routers) there are on a path to a destination. It sends out probe IP packets with small TTLs in sequence: TTL=1, TTL=2, TTL=3. TTL=1 will be dropped by the first router, TTL=2 will be forwarded by the first and dropped by the second, and so on. If traceroute receives an ICMP Time Exceeded message from a router, it will display its IP address. If the probe times out, an asterisk is displayed.

To return to the effect you are seeing, it is because of how the GRE tunneling works with regards to TTL. For IPv4 GRE tunnels, the default is to copy the TTL from the tunneled packet to the IPv4 GRE packet. This can be overridden by the ttl option as you did. Relevant excerpt from the manual:

ttl N
hoplimit N

    set a fixed TTL (IPv4) or hoplimit (IPv6) N on tunneled
    packets. N is a number in the range 1--255. 0 is a special
    value meaning that packets inherit the TTL value. The default
    value for IPv4 tunnels is: inherit. The default value for IPv6
    tunnels is: 64.

So, when you do use ttl 255, a probe sent by traceroute with TTL=1 will be encapsulated into a GRE IPv4 packet with TTL=255. This will be forwarded by all the intermediate routers and reach the tunnel endpoint and be received and handled by the final destination. When you do not use ttl 255, the default is ttl inherit. This means that a traceroute probe with TTL=1 will be encapsulated in a GRE IPv4 packet with TTL=1. It will be dropped by the first router. However, it is the GRE packet that is dropped and if the router sends an ICMP time exceeded, then it will refer to the encapsulating packet (GRE) and not to the encapsulated traceroute probe. Therefore the traceroute process will not receive any ICMP error, the probe times out, and an asterisk (*) is displayed. When the TTL is large enough for the GRE encapsulated packet to reach the tunnel endpoint, then finally the probe also reaches the final destination and its IP address is displayed.

So, to conclude, you really do not have an issue, but things work exactly as they should!

Related

IPv6 on Amazon VPC: missing default route in Ubuntu
squid and caching of dnf/yum downloads
Install Go 1.8 with yum
Amanda versus Bacula and (modern as of 2017) large backup jobs
Is it possible to add Active Directory to a windows container?
How can I remove dedup from my pool without running out of RAM?
Reconfiguring PHP 5.6 to run on MacOS 10.13 High Sierra
Using robocopy to copy missing files/folders to a destination path
Caching nginx auth_request
Disable SMB sharing for specific NIC on server 2012
experience with using SS on Windows 2016 MSCS VMware Virtual machines
Amazon EKS: how to configure S3 access for worker nodes?