Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Fragmentation - Reassembly Question

Hello all, quick question. Packets that get fragmented at the router when going through a GRE IPSEC tunnel, when they get to the other side. Are the reassembled at the router or at the host. I know in some cases at the router, but for most cases I would think the host would.

Also, here is an example tunnel. Anyone see any issues?

interface Tunnel100

description VPN Tunnel

bandwidth 10000

ip address

ip access-group block-ipsec out

no ip redirects

ip mtu 1420

ip tcp adjust-mss 1380

ip ospf cost 2400

tunnel source Loopback0

tunnel destination XXXXXXXXXXXX

tunnel protection ipsec profile VPN

Hall of Fame Super Gold

Re: Fragmentation - Reassembly Question


As a general principle we can say that fragmentation occurs somewhere along the path and reassembly occurs at the destination. Usually we would understand the destination to be the remote host. The case of GRE is slightly different. With GRE we have created a packet within a packet. For the GRE packet the destination is the remote GRE router (tunnel destination) not the remote host. So if a GRE packet is fragmented along its path, the reassemby is done on the remote GRE router.

I have looked at the example tunnel you posted and am not clear what you are asking about. I notice that the GRE tunnel is doing IPSec (tunnel protection ipsec) and I know that IPSec with GRE is likely to have issues with fragmentation. Adding the headers for GRE and the headers for IPSec will mean that packets are likely to require fragmentation at the GRE router. If PMTUD is not working correctly then packets may be discarded. If the end stations generates a max size packet with the DF bit turned on (because it has not properly discovered the effective path MTU) when it gets to the GRE router and the router needs to fragment but the DF bit is on, the GRE router must discard the packet. The ip mtu 1420 is frequently configured to help with the fragmentation issue but in my experience is not effective in the GRE with IPSec environment. The tunnel has ip tcp adjust-mss set to 1380. In my experience 1380 will effectively solve the needs fragmentation issue for GRE with IPSec. I see that there is an outbound access list on the tunnel but since you do not give us the content of the access list I do not know if there is an issue with the access list or not.

So while I see some issues I believe that the example tunnel should work ok.

If that does not adequately address your question then please clarify the question.



CreatePlease to create content