GRE/IPSec tunnel with SQL

Unanswered Question
Feb 12th, 2008
User Badges:
  • Bronze, 100 points or more

hi people,


it has been really long since i had posted any problem here, but this is really weird.


we have remote branches and remote POS connected over MPLS using GRE/IPSec Tunnel, recently we had upgraded one of our application servers which authenticate / connects branch office SQL server to head office SQL server and does some sort of publication and subscription.


problem:

after troubleshooting I discovered that GRE/IPSec Tunnel if removed from one branch (temp)the above mentioned scenario works perfectly otherwise, branch office SQL server cannot register the SQL server in headoffice using enterprise manager neither it can establish ODBC but it can surly see the databaes and there tables and make query.


Question:

can GRE/IPSec Tunnel make such a problem with SQL authentication, our GRE/IPSec tunnel config is as following


crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxxx address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto ipsec profile securityvpn-profile

set security-association lifetime seconds 120

set transform-set strong


any guide line or help would be apperciative. thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scottmac Mon, 02/18/2008 - 16:34
User Badges:
  • Green, 3000 points or more

Try dropping your MTU size.


mpls mtu ##


or ip mtu ##


or there's an "MTU (or is it MSS?) adjust" command at the tunnel interface level (brain fart, don't remember the syntax, sorry)


Between the MPLS labels, GRE header, and IPSEC stuff, you may be generating over-sized traffic ... and many of the secure / encrypted protocols do not permit fragmentation (routing protocols also do not frag).


Regardless, I'd bet a nickel it's an MTU-related issue.


Good Luck


Scott


eyad_alnaqi Mon, 02/18/2008 - 23:54
User Badges:

I'm facing a very similar problem using the following topology using GRE over IPsec.


LAN - Router - p2p leased line - Router - LAN - Firewall - External network


The end users on left can ping but cannot authenticate with the server server on the right-hand-side LAN although the firewall is beyond their destination!


I guess I need to modify the MTU and try again. I will keep posted whenever I'm done.


Regards,

shivlu jain Tue, 02/19/2008 - 00:27
User Badges:
  • Silver, 250 points or more

Definately its a problem of the MTU size of fragmentation issue. You can try one thing try to set the DF bit. May be it can solve your issue.


route-map DF permit 10

match ip address 101

set DF 1


access-list 101 permit ip any any


After that bind the list to the lan interface. By doing this every packet which is coming from the lan will now be fragmented. Also check that are you getting the packets more than 1500 bytes. same can be done with the route-map.


Route-map PACKETSIZE

match packet lengh or packet length


and bind it to the interface.


regards

shivlu

mohammedmahmoud Tue, 02/19/2008 - 13:16
User Badges:
  • Green, 3000 points or more

Hi,


I agree with all the previous posters that this is an MTU issue, but Shivlu, i believe that you've meant "set ip df 0" in order to permit fragmentation, you can also use the DF Bit Override Functionality with IPSec Tunnels:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html



Please check the following links:


TCP MSS Adjustment

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html


Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems

http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml


Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml


Why Can't I Browse the Internet when Using a GRE Tunnel?

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml


BR,

Mohammed Mahmoud.

Actions

This Discussion