Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA-IPSEC L2L with GRE Tunnel doesn't work

Hi,

we have a asa-asa connection between 2 buildings with ipsec and a gre tunnel between them because we use eigrp for this network.the tunnel is ok works perfect but i get syslog messages like :

Aug 13 17:04:54 FWH50031 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:134.81.191.233 dst inside:134.81.227.78 (type 3, code 4) on outside interface. Original IP payload: <unknown>.

Aug 13 17:05:04 FWH50031 %ASA-6-602101: PMTU-D packet 1462 bytes greater than effective mtu 1434, dest_addr=134.81.191.178, src_addr=134.81.227.78, prot=GRE

and we don't find anything about on cisco to adjust the PMTU-D size on the GRE Tunnel.

(net)-(tunnel-gre)--(asa)--airconnectinon--(asa)--(tunnel-gre)-(net)

5 REPLIES

Re: ASA-IPSEC L2L with GRE Tunnel doesn't work

Try this on both routers:

interface tun X

ip mtu 1400

ip tcp adjust-mss 1360

You have to set this on both ends.

Regards

Farrukh

New Member

Re: ASA-IPSEC L2L with GRE Tunnel doesn't work

Hello Farrukh,

thanks for the fast response.

the command ip tcp adjust-mss 1360 does't work on both routers. its a 6500 sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)

srs282k3(config)#int tunnel 0

srs282k3(config-if)#ip tcp ?

compression-connections Maximum number of compressed connections

header-compression Enable TCP header compression

srs282k3(config-if)#ip tcp

i have now configured on both sides

srs282k3(config-if)#ip mtu 1416

srs282k3(config-if)#tunnel path-mtu-discovery

srs282k3(config-if)#

and start the next try to test this.

regards

Klaus

Re: ASA-IPSEC L2L with GRE Tunnel doesn't work

This command was introduced in 12.2(33)SXH I think.

Make sure you have PMTUD enabled through the firewall (particularly the packet-too-big ICMP type).

Regards

Farrukh

New Member

Re: ASA-IPSEC L2L with GRE Tunnel doesn't work

Hello Farrukh,

i have a standard config for the asa,s what means this packet too big ICMP Type?

do you hav a example for this ?

thx

Klaus

Re: ASA-IPSEC L2L with GRE Tunnel doesn't work

It is just an ICMP type like 'echo' 'echo-reply'

Regards

Farrukh

445
Views
0
Helpful
5
Replies