Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2774
Views
0
Helpful
10
Replies

Pings failing when sent at 1468 and above.

j.vashee
Level 1
Level 1

‎09-15-2003 12:27 PM - edited ‎03-02-2019 10:20 AM

Hi,

I have built a VPN tunnel between two routers. The tunnels work fine and get pings replies from either sides of the tunnels.

The problem is that the pings are fine until you send upto 1468bytes packets over 1468 and ping replies fail.

Any ideas why this could be failing.

Thanks in advance.

Jay

Labels:
0 Helpful
10 Replies 10

deilert
Level 6
Level 6

‎09-15-2003 05:19 PM

you have an MTU issue , when you do a sh cry ipsec sa , what does it show for path and media mtu ? also what does it show when you do a sh ip interface for ip mtu ?

0 Helpful

j.vashee
Level 1
Level 1
In response to deilert

‎09-15-2003 09:55 PM

when I do a sh cry ipsec sa

local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y

path mtu 1500, media mtu 1500

#sh ip int fa0/1

FastEthernet0/1 is up, line protocol is up

Internet address is 10.188.64.21/28

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

0 Helpful

rais
Level 7
Level 7
In response to j.vashee

‎09-16-2003 01:25 AM

You must be pinging a specific device. Try pinging another device (different kind) and you will start seeing larger pings work.

Some devices do not allow ping more than a given threshold.

HTH

0 Helpful

sun816
Level 1
Level 1
In response to rais

‎09-16-2003 01:42 AM

You should get it clear that the echo packet or the echo reply packet fails? Then find out the error point and error link hop by hop.

0 Helpful

j.vashee
Level 1
Level 1
In response to rais

‎09-16-2003 01:43 AM

We have tried various devices from different lans and getting the same problems.

0 Helpful

deilert
Level 6
Level 6
In response to j.vashee

‎09-16-2003 05:03 AM

take a look at this

router#sh int tu 34

Tunnel34 is administratively down, line protocol is down

Hardware is Tunnel

Internet address is

MTU 1514 bytes, BW 128 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source (Loopback0), destination

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Checksumming of packets disabled, fast tunneling enabled

Last input never, output 33w5d, output hang never

Last clearing of "show interface" counters 16w0d

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

router #sh ip int tu 34

Tunnel34 is administratively down, line protocol is down

Internet address is

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1476 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.10

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP Feature Fast switching turbo vector

IP Feature CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

IP multicast multilayer switching is disabled

note that the MTU on the interface is showing 1500 , but the ip mtu is only 1476, this is not correct

what you need to do is shut down or preferably delete the tunnels then rebuild them and add the command 'ip mtu 1500'

see below

interface Tunnel16

ip address

ip mtu 1500

tunnel source Loopback0

tunnel destination

crypto map x

0 Helpful

j.vashee
Level 1
Level 1
In response to deilert

‎09-16-2003 05:38 AM

The tunnel interface is already configured for 1500

I#sh ip int tu 100

Tunnel100 is up, line protocol is up

Interface is unnumbered. Using address of Loopback10 (X.X.x.X)

Broadcast address is 255.255.255.255

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.5 224.0.0.6

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

#sh int loopback 10

Loopback10 is up, line protocol is up

Hardware is Loopback

Internet address is X.X.X.X/32

MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation LOOPBACK, loopback not set

Last input never, output never, output hang never

Last clearing of "show interface" counters 5d02h

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 Helpful

deilert
Level 6
Level 6
In response to j.vashee

‎09-16-2003 06:15 AM

what about the other side ? also what about sh int tu 100 , what does the mtu show for the tunnel 100, you may also want to adjust the mtu to have the tunnel and loopback match

0 Helpful

j.vashee
Level 1
Level 1
In response to deilert

‎09-16-2003 06:56 AM

at the other end of the tunnel also the tunnel mtu is 1514 and the loopback is also 1514

0 Helpful

jamey
Level 4
Level 4
In response to j.vashee

‎09-16-2003 10:25 AM

Isn't there overhead with GRE, 24 bytes? And I'm probably wrong, but I think I read ICMP has 8 bytes overhead, that leaves 1468 bytes...

1500-24-8=1468

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents