GRE/IPSec tunnel with SQL

zulqurnain · ‎02-12-2008

hi people,

it has been really long since i had posted any problem here, but this is really weird.

we have remote branches and remote POS connected over MPLS using GRE/IPSec Tunnel, recently we had upgraded one of our application servers which authenticate / connects branch office SQL server to head office SQL server and does some sort of publication and subscription.

problem:

after troubleshooting I discovered that GRE/IPSec Tunnel if removed from one branch (temp)the above mentioned scenario works perfectly otherwise, branch office SQL server cannot register the SQL server in headoffice using enterprise manager neither it can establish ODBC but it can surly see the databaes and there tables and make query.

Question:

can GRE/IPSec Tunnel make such a problem with SQL authentication, our GRE/IPSec tunnel config is as following

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxxx address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto ipsec profile securityvpn-profile

set security-association lifetime seconds 120

set transform-set strong

any guide line or help would be apperciative. thanks in advance

thomas.chen · ‎02-18-2008

Please tells us what platform is being used for the IPsec+GRE setup. Following URL, is a basic configuratioin option for GRE+IPsec setting:

http://www.cisco.com/warp/public/707/ipsecgrenat.html

scottmac · ‎02-18-2008

Try dropping your MTU size.

mpls mtu ##

or ip mtu ##

or there's an "MTU (or is it MSS?) adjust" command at the tunnel interface level (brain fart, don't remember the syntax, sorry)

Between the MPLS labels, GRE header, and IPSEC stuff, you may be generating over-sized traffic ... and many of the secure / encrypted protocols do not permit fragmentation (routing protocols also do not frag).

Regardless, I'd bet a nickel it's an MTU-related issue.

Good Luck

Scott

eyad_alnaqi · ‎02-18-2008

I'm facing a very similar problem using the following topology using GRE over IPsec.

LAN - Router - p2p leased line - Router - LAN - Firewall - External network

The end users on left can ping but cannot authenticate with the server server on the right-hand-side LAN although the firewall is beyond their destination!

I guess I need to modify the MTU and try again. I will keep posted whenever I'm done.

Regards,

shivlu jain · ‎02-19-2008

Definately its a problem of the MTU size of fragmentation issue. You can try one thing try to set the DF bit. May be it can solve your issue.

route-map DF permit 10

match ip address 101

set DF 1

access-list 101 permit ip any any

After that bind the list to the lan interface. By doing this every packet which is coming from the lan will now be fragmented. Also check that are you getting the packets more than 1500 bytes. same can be done with the route-map.

Route-map PACKETSIZE

match packet lengh or packet length

and bind it to the interface.

regards

shivlu

mohammedmahmoud · ‎02-19-2008

Hi,

I agree with all the previous posters that this is an MTU issue, but Shivlu, i believe that you've meant "set ip df 0" in order to permit fragmentation, you can also use the DF Bit Override Functionality with IPSec Tunnels:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html

Please check the following links:

TCP MSS Adjustment

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems

http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml

Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Why Can't I Browse the Internet when Using a GRE Tunnel?

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

BR,

Mohammed Mahmoud.