Tunnel IPSEC GRE problem

Answered Question
Jul 12th, 2012

Hello cracks!

I've configured a tunnel ipsec between 2 sites with gre and ospf.

The tunnel is up successfully and routes in ospf are correct and I have ping to all sites, but http applications don't works fine.

The first thing I though that was a MTU problem.

I began to do pings to a remote host with DF bit increasing the packet size until receive the typical message it's necessary fragment

but when I did a ping -f with 1400 I have request time out.

What could be the problem? This is tunnel configuration.

The tunnel is established between 2 internet lines (10Mb and 30Mb)....

Thanks a lot a lot...

interface Tunnel0

description $FW_INSIDE$

ip address 10.29.0.9 255.255.255.252

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip ospf cost 150

tunnel source GigabitEthernet0/1

tunnel destination publicip

!

interface Tunnel1

ip address 10.29.0.5 255.255.255.252

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip ospf cost 150

tunnel source GigabitEthernet0/1

tunnel destination publicip

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 1 year 9 months ago

Albert,

Saying "it" doesn't work is of no help :-)

As I said, it's time to take a sniffer trace ideally on both sides to compare what's going on, don't guess what you're fixing - diagnose it.

M.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3.7 (4 ratings)
Marcin Latosiewicz Thu, 07/12/2012 - 05:21

Try lowering the MSS on the tunnel interfaces to physical MTU - 40.  "ip tcp adjust-mss 1358" for example ;-)

adelbano@genera... Thu, 07/12/2012 - 06:46

It doesn't work.

physical interface MTU are 1500

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 10.29.0.10/30

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

I don't understand why tunnel mtu is 17916 and no 1358....

Albert.

Marcin Latosiewicz Thu, 07/12/2012 - 07:49

It's time to run sniffer trace.

You're looking at  L2 MTU not IP MTU.

And you should check the path MTU not really the setting.

You can try enabling path MTU discovery (and tunnel path MTU discovery), if you're running a recent version you might actually see decent results.

M.

adelbano@genera... Thu, 07/12/2012 - 08:26

Where path MTU discovery must be placed? Only on interface tunnel? I ve configured it and it doesn't work...

Correct Answer
Marcin Latosiewicz Thu, 07/12/2012 - 11:10

Albert,

Saying "it" doesn't work is of no help :-)

As I said, it's time to take a sniffer trace ideally on both sides to compare what's going on, don't guess what you're fixing - diagnose it.

M.

jportugu Sun, 07/15/2012 - 15:26

Albert,

Indeed we need to run a packet-sniffer to look for any abnormal behaviour when people try to access the HTTP sites.

You need to find if there is any fragmentation issues, TCP loss-packets, among others... Thats why Marcin suggested to collect that information and based on your findings, proceed accordingly.

Thanks.

adelbano@genera... Mon, 07/16/2012 - 02:33

Hello Marcin, Javier.

First of all, sorry for poor information I gave you to help me.

I thing that problem is solved, but I will need your help to close the issue...

The problem was that in tunnel interface Cisco Configuration Professional configured no ip unreachebles in all interfaces.

When I tried to do a ping for example 1410 bytes (without -f option), the ping didn't arrive to destination. It was like a filter...

Now, with ip unreacheables enabled all works fine, but I need to now why with no unreachebles the ping doesn't arrive to destination...if I had forced MTU in tunel interface...

And now the ping maximum data ping I can send through interface is 1392.

1392+ICMP(28)=1420 (IP MTU)

If packets needs too IPSEC header, the packet always will be fragmented...

I have no configured ip tcp adjust-mss 1380.

Do you thing it's necessary configure it?

Thanks a lot for your help!!!

jportugu Mon, 07/16/2012 - 05:33

Dear Albert,

I am glad to hear that.

When it comes to GRE/IPsec we usually recommend 1380, please check the link below for a better understanding:

Avoiding IP Fragmentation: What TCP MSS Does and How It Works

http://tools.cisco.com/squish/94FF2

Thanks

Please rate any post you find helpful.

adelbano@genera... Tue, 07/17/2012 - 03:27

Hello.

I've configured in the tunnel interface

ip mtu 1420

ip tcp adjust-mss 1380

tunnel path-mtu-discovery

Are necessary all these commands? If I configure manually mtu it's necessary the mtu discovery?

tcp adjust always is go with ip mtu?

These are my lasts questions about this issue...

Thanks a lot!

Albert.

jportugu Tue, 07/17/2012 - 05:42

Dear Albert,

Since you already know what the allowed MTU size is then you can do the math and define it manually on the Router.

Indeed the TCP MSS must be proportional to the MTU size in order to avoid fragmentation.

Thanks.

Actions

Login or Register to take actions

This Discussion

Posted July 12, 2012 at 4:12 AM
Stats:
Replies:10 Avg. Rating:3.66667
Views:1238 Votes:0
Shares:0
Tags: ipsec, gre, tunnel
+

Related Content

Discussions Leaderboard