ASA-IPSEC L2L with GRE Tunnel doesn't work

Unanswered Question
Aug 14th, 2008
User Badges:

Hi,

we have a asa-asa connection between 2 buildings with ipsec and a gre tunnel between them because we use eigrp for this network.the tunnel is ok works perfect but i get syslog messages like :

Aug 13 17:04:54 FWH50031 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:134.81.191.233 dst inside:134.81.227.78 (type 3, code 4) on outside interface. Original IP payload: <unknown>.

Aug 13 17:05:04 FWH50031 %ASA-6-602101: PMTU-D packet 1462 bytes greater than effective mtu 1434, dest_addr=134.81.191.178, src_addr=134.81.227.78, prot=GRE

and we don't find anything about on cisco to adjust the PMTU-D size on the GRE Tunnel.

(net)-(tunnel-gre)--(asa)--airconnectinon--(asa)--(tunnel-gre)-(net)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 08/14/2008 - 02:07
User Badges:
  • Red, 2250 points or more

Try this on both routers:


interface tun X

ip mtu 1400

ip tcp adjust-mss 1360


You have to set this on both ends.


Regards


Farrukh

ksimsimon Thu, 08/14/2008 - 02:19
User Badges:

Hello Farrukh,

thanks for the fast response.


the command ip tcp adjust-mss 1360 does't work on both routers. its a 6500 sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)

srs282k3(config)#int tunnel 0

srs282k3(config-if)#ip tcp ?

compression-connections Maximum number of compressed connections

header-compression Enable TCP header compression


srs282k3(config-if)#ip tcp


i have now configured on both sides

srs282k3(config-if)#ip mtu 1416

srs282k3(config-if)#tunnel path-mtu-discovery

srs282k3(config-if)#

and start the next try to test this.

regards

Klaus




Farrukh Haroon Thu, 08/14/2008 - 03:27
User Badges:
  • Red, 2250 points or more

This command was introduced in 12.2(33)SXH I think.


Make sure you have PMTUD enabled through the firewall (particularly the packet-too-big ICMP type).


Regards


Farrukh

ksimsimon Thu, 08/14/2008 - 03:32
User Badges:

Hello Farrukh,


i have a standard config for the asa,s what means this packet too big ICMP Type?

do you hav a example for this ?


thx

Klaus

Farrukh Haroon Thu, 08/14/2008 - 04:08
User Badges:
  • Red, 2250 points or more

It is just an ICMP type like 'echo' 'echo-reply'


Regards


Farrukh

Actions

This Discussion