Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

MTU problems with lightweight AP at the end of a GRE/IPSEC tunnel


I have a 4404 controller integrated into a 3750G chassis. It is running the firmware. It is configured int L3 mode. It is installed at the headquarters location.

I have access points at a remote location that is connected back to the main site via an IPSEC secured GRE tunnel.

The remote-site APs will register with the controller without issue. Wireless clients can connect to the APs and obtain an IP address. I am able to pass ICMP traffic of any size from a wireless client to corporate resources. However, I cannot use any TCP/UDP applications on the wireless client without manually adjusting the MTU. When the MTU is set to 1500, I cannot pass any traffic. When I set the MTU to 1300 and reboot the XP workstation, I have network access again.

There are no MTU issues present on the wired network at the remote location, just from the LWAPs.

I've adjusted the MTU on the tunnel interfaces to account for GRE/IPSEC tunnel mode overhead.

I've tried IPSEC pre-fragmentation on both sides of the IPSEC/GRE link.

I've verified that no ICMP packets are being dropped and that PMTUD is allowed to take place.

The connection at the remote site is a cable connection with no additional data-link overhead. I have verified this by sourcing packets from the router to the ISP gateway using a packet size of 1500 and specifying the DF bit be set. I am able to pass 1500 byte packets without issue.

The HQ site has an HDLC encapsulated T1, so there is no additional DL overhead there either.

I really don't want to have to modify the MTU manually on every wireless client at this remote site. Any ideas what I'm missing?


Re: MTU problems with lightweight AP at the end of a GRE/IPSEC t


On your Cisco routers, you can adjust the TCP MSS so that new TCP sessions will be set up with smaller segment sizes. This will work for TCP, but not UDP.  UDP normally uses smaller packets sizes ... so you might be fine.

Here is a link (watch the ugly word wrap):

Do you think it will help to set the MSS?  Sounds like it might be an option for you.

You can also hard set the MTU / MSS on your servers, and this will cause these servers to send the data in smaller segment sizes per TCP session.

Do you know where the drops are occurring when the packets get too large?  Possibilities include the remote switch, router, 3750 interface etc ...

Do please let me know your thoughts.  Kindest regards, and HTH,


CreatePlease to create content