It doesn't work.

physical interface MTU are 1500

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 10.29.0.10/30

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

I don't understand why tunnel mtu is 17916 and no 1358....

Albert.

It's time to run sniffer trace.

You're looking at  L2 MTU not IP MTU.

And you should check the path MTU not really the setting.

You can try enabling path MTU discovery (and tunnel path MTU discovery), if you're running a recent version you might actually see decent results.

M.

Where path MTU discovery must be placed? Only on interface tunnel? I ve configured it and it doesn't work...

Albert,

Indeed we need to run a packet-sniffer to look for any abnormal behaviour when people try to access the HTTP sites.

You need to find if there is any fragmentation issues, TCP loss-packets, among others... Thats why Marcin suggested to collect that information and based on your findings, proceed accordingly.

Thanks.

Hello Marcin, Javier.

First of all, sorry for poor information I gave you to help me.

I thing that problem is solved, but I will need your help to close the issue...

The problem was that in tunnel interface Cisco Configuration Professional configured no ip unreachebles in all interfaces.

When I tried to do a ping for example 1410 bytes (without -f option), the ping didn't arrive to destination. It was like a filter...

Now, with ip unreacheables enabled all works fine, but I need to now why with no unreachebles the ping doesn't arrive to destination...if I had forced MTU in tunel interface...

And now the ping maximum data ping I can send through interface is 1392.

1392+ICMP(28)=1420 (IP MTU)

If packets needs too IPSEC header, the packet always will be fragmented...

I have no configured ip tcp adjust-mss 1380.

Do you thing it's necessary configure it?

Thanks a lot for your help!!!

Dear Albert,

I am glad to hear that.

When it comes to GRE/IPsec we usually recommend 1380, please check the link below for a better understanding:

Avoiding IP Fragmentation: What TCP MSS Does and How It Works

http://tools.cisco.com/squish/94FF2

Thanks

Please rate any post you find helpful.

Hello.

I've configured in the tunnel interface

ip mtu 1420

ip tcp adjust-mss 1380

tunnel path-mtu-discovery

Are necessary all these commands? If I configure manually mtu it's necessary the mtu discovery?

tcp adjust always is go with ip mtu?

These are my lasts questions about this issue...

Thanks a lot!

Albert.

Dear Albert,

Since you already know what the allowed MTU size is then you can do the math and define it manually on the Router.

Indeed the TCP MSS must be proportional to the MTU size in order to avoid fragmentation.

Thanks.