02-12-2008 10:34 PM - edited 03-03-2019 08:40 PM
hi people,
it has been really long since i had posted any problem here, but this is really weird.
we have remote branches and remote POS connected over MPLS using GRE/IPSec Tunnel, recently we had upgraded one of our application servers which authenticate / connects branch office SQL server to head office SQL server and does some sort of publication and subscription.
problem:
after troubleshooting I discovered that GRE/IPSec Tunnel if removed from one branch (temp)the above mentioned scenario works perfectly otherwise, branch office SQL server cannot register the SQL server in headoffice using enterprise manager neither it can establish ODBC but it can surly see the databaes and there tables and make query.
Question:
can GRE/IPSec Tunnel make such a problem with SQL authentication, our GRE/IPSec tunnel config is as following
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile securityvpn-profile
set security-association lifetime seconds 120
set transform-set strong
any guide line or help would be apperciative. thanks in advance
02-18-2008 02:12 PM
Please tells us what platform is being used for the IPsec+GRE setup. Following URL, is a basic configuratioin option for GRE+IPsec setting:
02-18-2008 04:34 PM
Try dropping your MTU size.
or
or there's an "MTU (or is it MSS?) adjust" command at the tunnel interface level (brain fart, don't remember the syntax, sorry)
Between the MPLS labels, GRE header, and IPSEC stuff, you may be generating over-sized traffic ... and many of the secure / encrypted protocols do not permit fragmentation (routing protocols also do not frag).
Regardless, I'd bet a nickel it's an MTU-related issue.
Good Luck
Scott
02-18-2008 11:54 PM
I'm facing a very similar problem using the following topology using GRE over IPsec.
LAN - Router - p2p leased line - Router - LAN - Firewall - External network
The end users on left can ping but cannot authenticate with the server server on the right-hand-side LAN although the firewall is beyond their destination!
I guess I need to modify the MTU and try again. I will keep posted whenever I'm done.
Regards,
02-19-2008 12:27 AM
Definately its a problem of the MTU size of fragmentation issue. You can try one thing try to set the DF bit. May be it can solve your issue.
route-map DF permit 10
match ip address 101
set DF 1
access-list 101 permit ip any any
After that bind the list to the lan interface. By doing this every packet which is coming from the lan will now be fragmented. Also check that are you getting the packets more than 1500 bytes. same can be done with the route-map.
Route-map PACKETSIZE
match packet lengh or packet length
and bind it to the interface.
regards
shivlu
02-19-2008 01:16 PM
Hi,
I agree with all the previous posters that this is an MTU issue, but Shivlu, i believe that you've meant "set ip df 0" in order to permit fragmentation, you can also use the DF Bit Override Functionality with IPSec Tunnels:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html
Please check the following links:
TCP MSS Adjustment
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems
http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml
Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Why Can't I Browse the Internet when Using a GRE Tunnel?
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
BR,
Mohammed Mahmoud.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide