I have a cisco800 connected with adsl to cisco 3600, which is connected to a 7500 with Ethernet.
I have configured a GRE Tunnel between the 800 and the 7500. The 7500 is connected to the Internet by crossing a FW.
When trying to connect with https to secured web sites from a workstation on the 800's LAN, we get nothing. I've put a sniffer between the 7500 and the FW, and saw that there are https frames with length of 1514 (and this is before the GRE header is added) and with the "dont fragment" bit set. So my guess is that with the GRE header the frame is too big (giant).
When connecting to non-secured sites everything works fine, and the sniffer shows smaller frames and that the dont fragment bit is set to "may fragment".
1) Can I configure the routers to support giant frames ? If yes, do I also need to configure something on the ethernet switch ?
The problem is that, when clients connect to the Https web server, they both agree on the MTU size and the smallest supported among the 2 will be negotiated. Suppose each of them negotiate it to 1514, (for ethernet), when they sent the packets, they do set the DF bit.
Now, the 800 router cannot fragment the frames. Also the tunnel interface has a MTU which is 24 bytes less than the real MTU on the outgoing interface. That mean the MTU of the frame can be 1490 , above which the frame cannot be sent, without fragmenting.
WHen this situation arises, the router will send an ICMP message saying the following,
ICMP: dst (x.x.x.x) frag. needed and DF set unreachable sent to x.x.x.x
Usually ICMP could be blocked (not necessary in your network) but on the way. So this ICMP message would never reach the webserver. This ICMP message notifies the HTTPS server, to adjust the MTU size, appropriately.
1. Try to find out, where ICMP messages are getting blocked. This is not a very reliable solution
2. A good solution would be to use a PRoxy device between your 3600 and 7500 (if both are connected via lan), and let the proxy device initiate all outgoing web connections. for this you will have to terminate the GRE tunnel at the 3600, rather than at the 7500, as 7500 is your internet gateway.
3. Try to set the client machines, MTU sizes to a smaller value so that packets can pass without fragmentation. But this might be a tedious job to do if lot of PCs are there.
4. I dont think the adsl interfaces can have a MTU size over 1514 bytes. If yes, you might want to set the MTU on the interfaces
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...