Hello all, quick question. Packets that get fragmented at the router when going through a GRE IPSEC tunnel, when they get to the other side. Are the reassembled at the router or at the host. I know in some cases at the router, but for most cases I would think the host would.
Also, here is an example tunnel. Anyone see any issues?
As a general principle we can say that fragmentation occurs somewhere along the path and reassembly occurs at the destination. Usually we would understand the destination to be the remote host. The case of GRE is slightly different. With GRE we have created a packet within a packet. For the GRE packet the destination is the remote GRE router (tunnel destination) not the remote host. So if a GRE packet is fragmented along its path, the reassemby is done on the remote GRE router.
I have looked at the example tunnel you posted and am not clear what you are asking about. I notice that the GRE tunnel is doing IPSec (tunnel protection ipsec) and I know that IPSec with GRE is likely to have issues with fragmentation. Adding the headers for GRE and the headers for IPSec will mean that packets are likely to require fragmentation at the GRE router. If PMTUD is not working correctly then packets may be discarded. If the end stations generates a max size packet with the DF bit turned on (because it has not properly discovered the effective path MTU) when it gets to the GRE router and the router needs to fragment but the DF bit is on, the GRE router must discard the packet. The ip mtu 1420 is frequently configured to help with the fragmentation issue but in my experience is not effective in the GRE with IPSec environment. The tunnel has ip tcp adjust-mss set to 1380. In my experience 1380 will effectively solve the needs fragmentation issue for GRE with IPSec. I see that there is an outbound access list on the tunnel but since you do not give us the content of the access list I do not know if there is an issue with the access list or not.
So while I see some issues I believe that the example tunnel should work ok.
If that does not adequately address your question then please clarify the question.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...