MTU Problem on GRE Tunnel

Unanswered Question
Apr 27th, 2007
User Badges:

Hi,

I have a Internet Connection with ISDN Backup.

On the primary Link I have a GRE Tunnel to a Cisco 3662, which also terminates the ISDN BAckup in case of primary Link failure..


The customer have a IPSec Tunnel to 2 remote offices. The VPN to the Linux FW works fine.

On the VPN to a MS-ISA Server, some protocols do not pass (RDP, Sql).


This must be an MTU issue, because if its active the BAckup, the protocols will pass.


I can manage only the CPE 1721 and the 3662.


On all Interfaces of the CPE (1721) I have configured the following:


ip tcp adjust-mss 1300



So my question? What can be done at the ISA-Server to solve this problem?

Is there any possibility to resolve this problem without configuring the remiote Routers/Firewalls?


Regards and Thanks

Thomas



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thomas.feichter Tue, 05/01/2007 - 10:59
User Badges:

Hi,


I have set the MTU on the Tunnel INterfaces to 1500.

Now it works.


Thanks and regards

Thomas

bbaillie Fri, 04/27/2007 - 04:11
User Badges:
  • Bronze, 100 points or more

The configuration and reasons why from a Cisco perspective are here.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml


If you want to correct the problem at the ISA server ( you are correct this is an MTU issue) there are two ways. First way is to enable Path MTU discovery and Black Hole detection at the same time. Without Black Hole detection the PMTUD will fail due to "no ip unreachables" being enabled on router interfaces and the server never knows its packets are too big thus creating black holing.

http://support.microsoft.com/kb/314053


Or you can drop the MTU of the LAN card that faces your internal network on the ISA server to 1300 Decimal, not HEX. This is done at the LAN interface in the registry (your LAN card driver GUI configuration may also provide this ability).

Either solution will work so do the one you prefer.


Cheers,


Brian


Hi,


It is definitely an MTU problem and it cannot be solved with tcp adjust-mss since the IPSEC uses UDP as transport protocol and the pmtu discovery and altering the tcp mss won't help.

Here is a link help to understand the GRE MTU.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml


I think you have to alter the mtu on the tunnel interface. The reason why it is working fine with ISDN is there is no other protocol overhead opposed to GRE. It is also important thing whether the primary Internet connection is through DSL or leased line because in case of ADSL you have to count with the pppoe overhead too. Another way is to try to lower the MTU on the ISA and the firewall. I also had similar problem but through pppoe instead of GRE and after thought it over (and read a lot :)) I was able to find the correct MTU where it is working.

mohammedmahmoud Wed, 05/02/2007 - 23:01
User Badges:
  • Green, 3000 points or more

Hi,


I will add my voice to Brian, you can change the MTU on the ISA server:


MTU

Key: Tcpip\Parameters\Interfaces\ID for Adapter

Value Type: REG_DWORD Number

Valid Range: 68 - the MTU of the underlying network

Default: 0xFFFFFFFF

Description: This parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum packet size in bytes that the transport transmits over the underlying network. The size includes the transport header. An IP datagram can span multiple packets. Values larger than the default value for the underlying network cause the transport to use the network default MTU. Values smaller than 68 cause the transport to use an MTU of 68.


http://support.microsoft.com/kb/314053



HTH, please rate if it does help,

Mohammed Mahmoud.

Actions

This Discussion