12-04-2013 08:38 AM - edited 03-07-2019 04:55 PM
Hello Colleagues,
I'm having a strange problem dealing with MTU sizes and loading certain webpages. I am aware of the default Microsoft MTU of 1500 and also using GRE IPSEC Tunnels recommended at MTU size 1400. I have since manually set some users PC's to MTU of 1400 and most of those users are experiencing no issues. However, there are a few users who still experience website loading issues even though I have manually changed their MTU size to 1400.
These are domain accounts will the same image loads on their machines, so all have the same permissions, rights, firewall settings, etc. They all use the same LAN, switches, and routers.
Here are the router configs, router 1 and router 2
Router 1
Current configuration : 9006 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname R-US-RS-WVPN1
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
boot-end-marker
!
!
logging buffered 64000
enable secret 5 *removed*
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery interval 303
!
ip cef
!
!
!
!
!
!
ip domain name corp.com
ip name-server 10.###.8.21
ip name-server 10.###.8.96
ip inspect dns-timeout 90
ip inspect tcp idle-time 60
ip inspect name fw smtp timeout 120
ip inspect name fw ftp timeout 120
ip inspect name fw realaudio
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 30
ip inspect name fw tcp timeout 60
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-316595902
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-316595902
revocation-check none
rsakeypair TP-self-signed-316595902
!
!
crypto pki certificate chain TP-self-signed-316595902
certificate self-signed 01
*removed*
quit
license udi pid CISCO1921/K9 sn FTX153182M8
!
!
!
spanning-tree vlan 229 priority 8192
!
redundancy
!
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key *removed* address 70.###.172.142
crypto isakmp key *removed* address 184.###.###.254
crypto isakmp keepalive 35 11
!
!
crypto ipsec transform-set FY-WVPN-Tunnel esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map vpn 10 ipsec-isakmp
set peer 70.###.172.142
set peer 184.###.###.254
set transform-set FY-WVPN-Tunnel
match address gre-tunnel-list
!
!
!
!
!
interface Loopback0
ip address 10.###.0.10 255.255.255.255
!
interface Tunnel2291
description Primary-TimewarnerTelecom-Ral-FayWVPN1
ip address 10.###.99.26 255.255.255.252
no ip redirects
cdp enable
tunnel source 66.###.161.126
tunnel destination 184.###.###.254
crypto map vpn
!
interface Tunnel2293
description Primary-TimewarnerTelecom-Ral-FayWVPN2
ip address 10.###.99.154 255.255.255.252
no ip redirects
cdp enable
tunnel source 66.###.161.126
tunnel destination 70.###.172.142
crypto map vpn
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description TW Telecom/DMVPN1
ip address 66.###.161.126 255.255.255.252
ip access-group Block-Internet in
ip access-group Block-Internet out
duplex auto
speed auto
no cdp enable
crypto map vpn
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport access vlan 229
no ip address
!
interface GigabitEthernet0/0/1
switchport access vlan 229
no ip address
!
interface GigabitEthernet0/0/2
switchport access vlan 229
no ip address
!
interface GigabitEthernet0/0/3
description PBX Eth1
switchport access vlan 229
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan229
ip address 10.###.229.253 255.255.255.0
ip helper-address 10.###.231.201
standby 229 ip 10.###.229.254
standby 229 priority 105
standby 229 preempt
!
!
router eigrp 100
network 10.0.0.0
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip route 70.###.172.142 255.255.255.255 66.###.161.125
ip route 184.###.###.254 255.255.255.255 66.###.161.125
ip route 205.###.96.180 255.255.255.252 66.###.161.125
!
ip access-list extended Block-Internet
permit esp host 66.###.161.126 host 184.###.###.254
permit esp host 184.###.###.254 host 66.###.161.126
permit udp host 66.###.161.126 host 184.###.###.254 eq isakmp
permit udp host 184.###.###.254 host 66.###.161.126 eq isakmp
permit esp host 66.###.161.126 host 70.###.172.142
permit esp host 70.###.172.142 host 66.###.161.126
permit udp host 66.###.161.126 host 70.###.172.142 eq isakmp
permit udp host 70.###.172.142 host 66.###.161.126 eq isakmp
permit icmp host 66.###.161.126 host 184.###.###.254
permit icmp host 184.###.###.254 host 66.###.161.126
permit icmp host 66.###.161.126 host 70.###.172.142
permit icmp host 70.###.172.142 host 66.###.161.126
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny ip any any
deny icmp any any
ip access-list extended gre-tunnel-list
permit gre host 66.###.161.126 host 184.###.###.254
permit gre host 66.###.161.126 host 70.###.172.142
!
logging host 10.100.###.254
logging host 10.100.###.246
!
!
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community P_RW RW
snmp-server community P_RO RO
snmp-server enable traps entity-sensor threshold
snmp-server host 10.100.###.246 public
snmp-server host 10.100.###.254 public
access-list 20 permit 10.###.9.3
access-list 20 permit 10.###.8.16
access-list 20 permit 10.100.###.249
access-list 20 permit 10.100.###.254
access-list 20 permit 10.100.###.246
!
control-plane
!
!
banner motd ^CCCCCCC
****************** Warning! Warning! Warning! ********************
This system is restricted to authorized users for business
purposes. Unauthorized access is a violation of the law. This
service may be monitored for administrative and security reasons.
By proceeding, you consent to this monitoring
****************** Warning! Warning! Warning! ********************
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.###.8.8 prefer
ntp server 10.###.231.200 prefer
ntp server 10.###.8.69
ntp server 10.###.1.6 prefer
!
end
Router 2
Current configuration : 9013 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname R-US-RS-WVPN2
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
boot-end-marker
!
!
logging buffered 64000
logging console critical
enable secret 5 *removed*
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery interval 303
!
ip cef
!
!
!
!
!
!
ip domain name corp.mann-hummel.com
ip name-server 10.###.8.21
ip name-server 10.###.8.96
ip inspect dns-timeout 90
ip inspect tcp idle-time 60
ip inspect name fw smtp timeout 120
ip inspect name fw ftp timeout 120
ip inspect name fw realaudio
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 30
ip inspect name fw tcp timeout 60
ipv6 multicast rpf use-bgp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3179596086
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3179596086
revocation-check none
rsakeypair TP-self-signed-3179596086
!
!
crypto pki certificate chain TP-self-signed-3179596086
certificate self-signed 01
*removed*
quit
license udi pid CISCO1921/K9 sn FTX153182M2
!
!
!
spanning-tree vlan 229 priority 1###84
!
redundancy
!
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key *removed* address 70.###.172.142
crypto isakmp key *removed* address 184.###.###.254
crypto isakmp keepalive 35 11
!
!
crypto ipsec transform-set Fay-Ral-WVPN-Tunnel esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map vpn 10 ipsec-isakmp
set peer 184.###.###.254
set peer 70.###.172.142
set transform-set Fay-Ral-WVPN-Tunnel
match address gre-tunnel-list
!
!
!
!
!
interface Loopback0
ip address 10.###.0.12 255.255.255.255
!
interface Tunnel2292
description Failover-TimewarnerCable-Ral-Fay-WVPN2
ip address 10.###.99.30 255.255.255.252
no ip redirects
cdp enable
tunnel source 96.###.25.226
tunnel destination 184.###.###.254
crypto map vpn
!
interface Tunnel2294
description Failover-TimewarnerCable-Ral-Fay-WVPN2
ip address 10.###.99.158 255.255.255.252
no ip redirects
cdp enable
tunnel source 96.###.25.226
tunnel destination 70.###.172.142
crypto map vpn
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Fay-Ral WVPN
ip address 96.###.25.226 255.255.255.252
ip access-group Block-Internet in
ip access-group Block-Internet out
duplex auto
speed auto
no cdp enable
crypto map vpn
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport access vlan 229
no ip address
!
interface GigabitEthernet0/0/1
switchport access vlan 229
no ip address
!
interface GigabitEthernet0/0/2
switchport access vlan 229
no ip address
!
interface GigabitEthernet0/0/3
description PBX Eth2
switchport access vlan 229
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan229
ip address 10.###.229.252 255.255.255.0
ip helper-address 10.###.231.201
standby 229 ip 10.###.229.254
standby 229 preempt
!
!
router eigrp 100
network 10.0.0.0
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip route 70.###.172.142 255.255.255.255 96.###.25.225
ip route 184.###.###.254 255.255.255.255 96.###.25.225
ip route 205.###.96.180 255.255.255.252 66.###.161.125
!
ip access-list extended Block-Internet
permit esp host 96.###.25.226 host 184.###.###.254
permit esp host 184.###.###.254 host 96.###.25.226
permit udp host 96.###.25.226 host 184.###.###.254 eq isakmp
permit udp host 184.###.###.254 host 96.###.25.226 eq isakmp
permit esp host 96.###.25.226 host 70.###.172.142
permit esp host 70.###.172.142 host 96.###.25.226
permit udp host 96.###.25.226 host 70.###.172.142 eq isakmp
permit udp host 70.###.172.142 host 96.###.25.226 eq isakmp
permit icmp host 96.###.25.226 host 184.###.###.254
permit icmp host 184.###.###.254 host 96.###.25.226
permit icmp host 96.###.25.226 host 70.###.172.142
permit icmp host 70.###.172.142 host 96.###.25.226
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny ip any any
deny icmp any any
ip access-list extended gre-tunnel-list
permit gre host 96.###.25.226 host 184.###.###.254
permit gre host 96.###.25.226 host 70.###.172.142
!
logging host 10.100.###.254
logging host 10.100.###.246
!
!
snmp-server community P_RW RW
snmp-server community P_RO RO
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server enable traps entity-sensor threshold
snmp-server host 10.100.###.246 public
snmp-server host 10.100.###.254 public
access-list 20 permit 10.###.9.3
access-list 20 permit 10.###.8.16
access-list 20 permit 10.100.###.249
access-list 20 permit 10.100.###.254
access-list 20 permit 10.100.###.246
!
control-plane
!
!
banner motd ^CCCCCC
****************** Warning! Warning! Warning! ********************
This system is restricted to authorized users for business
purposes. Unauthorized access is a violation of the law. This
service may be monitored for administrative and security reasons.
By proceeding, you consent to this monitoring
****************** Warning! Warning! Warning! ********************
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.###.8.8 prefer
ntp server 10.###.231.200 prefer
ntp server 10.###.8.69
ntp server 10.###.1.6 prefer
!
end
12-06-2013 09:25 AM
UPDATE
I have since applied the following config to the tunnel interfaces:
ip mtu 1400
ip tcp adjust-mss 1400
tunnel path-mtu-discovery
This worked and I was able to reset each users PC to default MTU size of 1500, but only until just now. I got a call from a user who explained that he wasn't able to reach some websites, again.
Sure enough, I've just confirmed that all of the users are unable to access the websites any longer.
This is crazy, does anyone have any ideas?
12-06-2013 09:49 AM
Hi,
ip mtu 1400
ip tcp adjust-mss 1400
typically, the MSS is MTU minus 40.
If you have verified that 1400 is the adequate value for the MTU, you should adjust the MSS to 1360.
(A handy tool for Windows to determine the path's MTU is mturoute)
HTH
Rolf
12-06-2013 11:12 AM
Thank you for the reply Rolf,
Yes, and you've jogged my memory of what I read the other day. So, I've updated the config to:
ip tcp-adjust-mss 1360
...and still not working for *some* users. Interestingly, some users can access the problem sites just fine.
I used the tool mturoute and performed a trace to the gateway and one of the trouble sites. A trace to the gateway with an MTU size of 1500 works fine. A trace to a problem site with the same MTU fails because the site is blocking ICMP pings :/
12-06-2013 11:34 AM
...and still not working for *some* users. Interestingly, some users can access the problem sites just fine.
Hmm, would it make sense to compare the paths with a traceroute from both (good vs. "problem" client) in order to see if there is load-sharing based on the source-address somewhere?
12-06-2013 02:17 PM
The best article on the topic:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: