Hello Colleagues,

I'm having a strange problem dealing with MTU sizes and loading certain webpages. I am aware of the default Microsoft MTU of 1500 and also using GRE IPSEC Tunnels recommended at MTU size 1400. I have since manually set some users PC's to MTU of 1400 and most of those users are experiencing no issues. However, there are a few users who still experience website loading issues even though I have manually changed their MTU size to 1400.

These are domain accounts will the same image loads on their machines, so all have the same permissions, rights, firewall settings, etc. They all use the same LAN, switches, and routers.

Here are the router configs, router 1 and router 2

Router 1

Current configuration : 9006 bytes

!

version 15.3

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname R-US-RS-WVPN1

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin

boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin

boot-end-marker

!

!

logging buffered 64000

enable secret 5 *removed*

!

no aaa new-model

clock timezone CET 1 0

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause rootguard

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery interval 303

!

ip cef

!

!

!

!

!

!

ip domain name corp.com

ip name-server 10.###.8.21

ip name-server 10.###.8.96

ip inspect dns-timeout 90

ip inspect tcp idle-time 60

ip inspect name fw smtp timeout 120

ip inspect name fw ftp timeout 120

ip inspect name fw realaudio

ip inspect name fw tftp timeout 30

ip inspect name fw udp timeout 30

ip inspect name fw tcp timeout 60

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-316595902

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-316595902

revocation-check none

rsakeypair TP-self-signed-316595902

!

!

crypto pki certificate chain TP-self-signed-316595902

certificate self-signed 01

  *removed*

        quit

license udi pid CISCO1921/K9 sn FTX153182M8

!

!

!

spanning-tree vlan 229 priority 8192

!

redundancy

!

!

!

!

!

ip ssh version 2

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key *removed* address 70.###.172.142

crypto isakmp key *removed* address 184.###.###.254

crypto isakmp keepalive 35 11

!

!

crypto ipsec transform-set FY-WVPN-Tunnel esp-aes esp-md5-hmac

mode tunnel

!

!

!

crypto map vpn 10 ipsec-isakmp

set peer 70.###.172.142

set peer 184.###.###.254

set transform-set FY-WVPN-Tunnel

match address gre-tunnel-list

!

!

!

!

!

interface Loopback0

ip address 10.###.0.10 255.255.255.255

!

interface Tunnel2291

description Primary-TimewarnerTelecom-Ral-FayWVPN1

ip address 10.###.99.26 255.255.255.252

no ip redirects

cdp enable

tunnel source 66.###.161.126

tunnel destination 184.###.###.254

crypto map vpn

!

interface Tunnel2293

description Primary-TimewarnerTelecom-Ral-FayWVPN2

ip address 10.###.99.154 255.255.255.252

no ip redirects

cdp enable

tunnel source 66.###.161.126

tunnel destination 70.###.172.142

crypto map vpn

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description TW Telecom/DMVPN1

ip address 66.###.161.126 255.255.255.252

ip access-group Block-Internet in

ip access-group Block-Internet out

duplex auto

speed auto

no cdp enable

crypto map vpn

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

switchport access vlan 229

no ip address

!

interface GigabitEthernet0/0/1

switchport access vlan 229

no ip address

!

interface GigabitEthernet0/0/2

switchport access vlan 229

no ip address

!

interface GigabitEthernet0/0/3

description PBX Eth1

switchport access vlan 229

no ip address

!

interface Vlan1

no ip address

shutdown

!

interface Vlan229

ip address 10.###.229.253 255.255.255.0

ip helper-address 10.###.231.201

standby 229 ip 10.###.229.254

standby 229 priority 105

standby 229 preempt

!

!

router eigrp 100

network 10.0.0.0

!

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip route 70.###.172.142 255.255.255.255 66.###.161.125

ip route 184.###.###.254 255.255.255.255 66.###.161.125

ip route 205.###.96.180 255.255.255.252 66.###.161.125

!

ip access-list extended Block-Internet

permit esp host 66.###.161.126 host 184.###.###.254

permit esp host 184.###.###.254 host 66.###.161.126

permit udp host 66.###.161.126 host 184.###.###.254 eq isakmp

permit udp host 184.###.###.254 host 66.###.161.126 eq isakmp

permit esp host 66.###.161.126 host 70.###.172.142

permit esp host 70.###.172.142 host 66.###.161.126

permit udp host 66.###.161.126 host 70.###.172.142 eq isakmp

permit udp host 70.###.172.142 host 66.###.161.126 eq isakmp

permit icmp host 66.###.161.126 host 184.###.###.254

permit icmp host 184.###.###.254 host 66.###.161.126

permit icmp host 66.###.161.126 host 70.###.172.142

permit icmp host 70.###.172.142 host 66.###.161.126

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit icmp any any traceroute

permit icmp any any unreachable

deny   ip any any

deny   icmp any any

ip access-list extended gre-tunnel-list

permit gre host 66.###.161.126 host 184.###.###.254

permit gre host 66.###.161.126 host 70.###.172.142

!

logging host 10.100.###.254

logging host 10.100.###.246

!

!

snmp-server community a RW 20

snmp-server community r RO 20

snmp-server community a RW 20

snmp-server community r RO 20

snmp-server community P_RW RW

snmp-server community P_RO RO

snmp-server enable traps entity-sensor threshold

snmp-server host 10.100.###.246 public

snmp-server host 10.100.###.254 public

access-list 20 permit 10.###.9.3

access-list 20 permit 10.###.8.16

access-list 20 permit 10.100.###.249

access-list 20 permit 10.100.###.254

access-list 20 permit 10.100.###.246

!

control-plane

!

!

banner motd ^CCCCCCC

****************** Warning! Warning! Warning! ********************

This system is restricted to authorized users for business

purposes.  Unauthorized access is a violation of the law.  This

service may be monitored for administrative and security reasons.

By proceeding, you consent to this monitoring

****************** Warning! Warning! Warning! ********************

^C

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 60 0

password 7 *removed*

login local

transport input ssh

line vty 5 15

exec-timeout 60 0

password 7 *removed*

login local

transport input ssh

!

scheduler allocate 20000 1000

ntp server 10.###.8.8 prefer

ntp server 10.###.231.200 prefer

ntp server 10.###.8.69

ntp server 10.###.1.6 prefer

!

end

Router 2

Current configuration : 9013 bytes

!

version 15.3

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname R-US-RS-WVPN2

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin

boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin

boot-end-marker

!

!

logging buffered 64000

logging console critical

enable secret 5 *removed*

!

no aaa new-model

clock timezone CET 1 0

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause rootguard

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery interval 303

!

ip cef

!

!

!

!

!

!

ip domain name corp.mann-hummel.com

ip name-server 10.###.8.21

ip name-server 10.###.8.96

ip inspect dns-timeout 90

ip inspect tcp idle-time 60

ip inspect name fw smtp timeout 120

ip inspect name fw ftp timeout 120

ip inspect name fw realaudio

ip inspect name fw tftp timeout 30

ip inspect name fw udp timeout 30

ip inspect name fw tcp timeout 60

ipv6 multicast rpf use-bgp

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3179596086

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3179596086

revocation-check none

rsakeypair TP-self-signed-3179596086

!

!

crypto pki certificate chain TP-self-signed-3179596086

certificate self-signed 01

  *removed*

        quit

license udi pid CISCO1921/K9 sn FTX153182M2

!

!

!

spanning-tree vlan 229 priority 1###84

!

redundancy

!

!

!

!

!

ip ssh version 2

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key *removed* address 70.###.172.142

crypto isakmp key *removed* address 184.###.###.254

crypto isakmp keepalive 35 11

!

!

crypto ipsec transform-set Fay-Ral-WVPN-Tunnel esp-aes esp-md5-hmac

mode tunnel

!

!

!

crypto map vpn 10 ipsec-isakmp

set peer 184.###.###.254

set peer 70.###.172.142

set transform-set Fay-Ral-WVPN-Tunnel

match address gre-tunnel-list

!

!

!

!

!

interface Loopback0

ip address 10.###.0.12 255.255.255.255

!

interface Tunnel2292

description Failover-TimewarnerCable-Ral-Fay-WVPN2

ip address 10.###.99.30 255.255.255.252

no ip redirects

cdp enable

tunnel source 96.###.25.226

tunnel destination 184.###.###.254

crypto map vpn

!

interface Tunnel2294

description Failover-TimewarnerCable-Ral-Fay-WVPN2

ip address 10.###.99.158 255.255.255.252

no ip redirects

cdp enable

tunnel source 96.###.25.226

tunnel destination 70.###.172.142

crypto map vpn

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Fay-Ral WVPN

ip address 96.###.25.226 255.255.255.252

ip access-group Block-Internet in

ip access-group Block-Internet out

duplex auto

speed auto

no cdp enable

crypto map vpn

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

switchport access vlan 229

no ip address

!

interface GigabitEthernet0/0/1

switchport access vlan 229

no ip address

!

interface GigabitEthernet0/0/2

switchport access vlan 229

no ip address

!

interface GigabitEthernet0/0/3

description PBX Eth2

switchport access vlan 229

no ip address

!

interface Vlan1

no ip address

shutdown

!

interface Vlan229

ip address 10.###.229.252 255.255.255.0

ip helper-address 10.###.231.201

standby 229 ip 10.###.229.254

standby 229 preempt

!

!

router eigrp 100

network 10.0.0.0

!

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip route 70.###.172.142 255.255.255.255 96.###.25.225

ip route 184.###.###.254 255.255.255.255 96.###.25.225

ip route 205.###.96.180 255.255.255.252 66.###.161.125

!

ip access-list extended Block-Internet

permit esp host 96.###.25.226 host 184.###.###.254

permit esp host 184.###.###.254 host 96.###.25.226

permit udp host 96.###.25.226 host 184.###.###.254 eq isakmp

permit udp host 184.###.###.254 host 96.###.25.226 eq isakmp

permit esp host 96.###.25.226 host 70.###.172.142

permit esp host 70.###.172.142 host 96.###.25.226

permit udp host 96.###.25.226 host 70.###.172.142 eq isakmp

permit udp host 70.###.172.142 host 96.###.25.226 eq isakmp

permit icmp host 96.###.25.226 host 184.###.###.254

permit icmp host 184.###.###.254 host 96.###.25.226

permit icmp host 96.###.25.226 host 70.###.172.142

permit icmp host 70.###.172.142 host 96.###.25.226

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit icmp any any traceroute

permit icmp any any unreachable

deny   ip any any

deny   icmp any any

ip access-list extended gre-tunnel-list

permit gre host 96.###.25.226 host 184.###.###.254

permit gre host 96.###.25.226 host 70.###.172.142

!

logging host 10.100.###.254

logging host 10.100.###.246

!

!

snmp-server community P_RW RW

snmp-server community P_RO RO

snmp-server community a RW 20

snmp-server community r RO 20

snmp-server community a RW 20

snmp-server community r RO 20

snmp-server enable traps entity-sensor threshold

snmp-server host 10.100.###.246 public

snmp-server host 10.100.###.254 public

access-list 20 permit 10.###.9.3

access-list 20 permit 10.###.8.16

access-list 20 permit 10.100.###.249

access-list 20 permit 10.100.###.254

access-list 20 permit 10.100.###.246

!

control-plane

!

!

banner motd ^CCCCCC

****************** Warning! Warning! Warning! ********************

This system is restricted to authorized users for business

purposes.  Unauthorized access is a violation of the law.  This

service may be monitored for administrative and security reasons.

By proceeding, you consent to this monitoring

****************** Warning! Warning! Warning! ********************

^C

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 60 0

password 7 *removed*

login local

transport input ssh

line vty 5 15

exec-timeout 60 0

password 7 *removed*

login local

transport input ssh

!

scheduler allocate 20000 1000

ntp server 10.###.8.8 prefer

ntp server 10.###.231.200 prefer

ntp server 10.###.8.69

ntp server 10.###.1.6 prefer

!

end