I have configured internet access via the mpls by creating separate Internet VRF. The same VRF is applied on the interface facing the Internet Gateway.Iam using Cisco 7606 with a 48 switchports to connect to the CE routers.
My problem is that we cannot browse via th internet. From the CE end devices we can ping the internet sites but cannot browse. We can use Google to search for information on the net but cannot browse to these web sites.
I need a solution to this problem as its affecting myservices to our clients.
I attach typical configurations on the PE router to help in getting a quick solution
This could be a MTU related issue, as you can ping but not surf. successful ping means routing works, so the problem is somewhere else.
Please check the mtu to the web sites under question (extended ping with DF bit set, packet size 1472).
In case large packets are not going through, make sure your MPLS enabled interfaces are configured to allow for the additional bytes taken by the labels (at least 2 labels for L3VPN, i.e. 8 Bytes).
To adjust the MTU use either
ip mtu 1500
mpls mtu 1508
Which option you can configure depends on your IOS and hardware.
Repeat the extended ping check until 1500 byte packets are going through and then test the Web sites again. In case the problem persists, please provide the results of your tests.
Hope this helps! Please use the rating system.
Thanks for your mail and good suggestions. I have carried out the configurations and test as suggested[see attahed]. I can browse some sites like www.google.com,http://support.mbs-worldwide.ac.uk,http://www.nigeriansecurities.com/ but cannot open sites like www.cisco.com, www.yahoo.com, etc. I can ping effectively well both via the extended and normal ping.
Is there any other thing you would like me to check?
Please note that I am using private IPs on core and running internet services off an PE. [see design attached].
Any further suggestions will be welcome.
sounds MTU related to me.... sounds like packets with DF bit set are coming and they are larger than the path MTU when the MPLS overhead is taken away....
you don't specify any of the interface configs, so it is hard to see what is going on MTU... ping with various sizes above and below the MTU is helpful in diagnozing the condition... setting DF-bit clearing on the PE routers could help in temporarily alleviating the condition or testing the MTU theory out...
I have tried the MTU configurations - MPLS MTU 1508, and the IP MTU 1500 applied on the MPLS enabled interface yet i am not able to browse via the mpls network. Ping result i perfect. I can pwww.yahoo.com, so the DNS is working fine.
Does anybody have an alternative solution or is there anything I need to twick on the configurations again?
Pls see the config on the interfaces on the PE facing the P router. All the interfaces on the core have been configured the same way.
description Connection to P_Router
ip address 192.168.252.18 255.255.255.252
mpls mtu 1508
mpls label protocol ldp
Can you pls also try doing an extended ping from the hosts where you are trying to browse as below, and post the results for all.
ping yahoo.com -f -l 1470 (.+2..till..1500)
Ok, could you remove the MTU changes that you had applied before, and start with this test from the ingress PE till the internet PE.
Target IP address: x.x.x.x
Repeat count :
Datagram size : 1500
Timeout in seconds :
Extended commands [n]: y
Source address or interface:
Type of service :
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
Packet sent with the DF bit set
Keep ping with this packet size, but i don't think all PE's will sucessfully pinging the internet destinations, i beleive one hop will fail this test and so this is the hop that have or connected to the main source of this issue.
I have carriedout the ping tests and below is a summary of the result.
1. From the Laptop:
- can ping internet with packet size of 1464 bytes
- cannot ping with higher than 1464 bytes
- cannot ping the direclty connected PE with pacet size more than 1473 bytes
3. From the PE directly connected to the Laptop:
- can ping internet with packet size of 1492 bytes
- Cannot ping with packet size beyound 1492 bytes.
4. From Last hop PE facing the Internet Gateway router
- can ping internet with packet size of 1500 bytes
Please see attached for details of the test results and design for the traffic path.
Do let me know if there is any further thing I need to do. The problem seems to located on the ingress PE. But note also that I have Cisco 7200 router as P router connecting to and GSR 12000 P router.
You could try using a route map to reset the DF bit on TCP traffic on the PE ingress port facing the CE.
route-map Clear-DF permit 10
match ip address Clear-DF
set ip df 0
ip access-list extended clear-DF
permit tcp any any
apply the route-map policy to the Ingress port closest to the CE or on the CE it's self thus ensuring that all tcp traffic gets its DF bit set to 0. hence it will then be fragmentable.
The problem seems to lie with your 7204 which has ethernet and FE interfaces for label switching. If I can recollect right you may not be able to configure physical mtu of more than 1500 on these interfaces.
So the way out would be to set layer 2 mtu of 1508 or more on the 7204 and on other devices unifromly. But this may not be possible with 7204 and the interface types.
So you can replace the 7204 with another device which has gig links supporting MTU higher than 1508 or reduce the MTU from all hosts perspective by 8 bytes. The former option of replacing the 7204 would be more easier though.