Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel IPSEC GRE problem

Hello cracks!

I've configured a tunnel ipsec between 2 sites with gre and ospf.

The tunnel is up successfully and routes in ospf are correct and I have ping to all sites, but http applications don't works fine.

The first thing I though that was a MTU problem.

I began to do pings to a remote host with DF bit increasing the packet size until receive the typical message it's necessary fragment

but when I did a ping -f with 1400 I have request time out.

What could be the problem? This is tunnel configuration.

The tunnel is established between 2 internet lines (10Mb and 30Mb)....

Thanks a lot a lot...

interface Tunnel0

description $FW_INSIDE$

ip address 10.29.0.9 255.255.255.252

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip ospf cost 150

tunnel source GigabitEthernet0/1

tunnel destination publicip

!

interface Tunnel1

ip address 10.29.0.5 255.255.255.252

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip ospf cost 150

tunnel source GigabitEthernet0/1

tunnel destination publicip

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Tunnel IPSEC GRE problem

Albert,

Saying "it" doesn't work is of no help :-)

As I said, it's time to take a sniffer trace ideally on both sides to compare what's going on, don't guess what you're fixing - diagnose it.

M.

10 REPLIES
Cisco Employee

Tunnel IPSEC GRE problem

Try lowering the MSS on the tunnel interfaces to physical MTU - 40.  "ip tcp adjust-mss 1358" for example ;-)

New Member

Tunnel IPSEC GRE problem

It doesn't work.

physical interface MTU are 1500

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 10.29.0.10/30

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

I don't understand why tunnel mtu is 17916 and no 1358....

Albert.

Cisco Employee

Tunnel IPSEC GRE problem

It's time to run sniffer trace.

You're looking at  L2 MTU not IP MTU.

And you should check the path MTU not really the setting.

You can try enabling path MTU discovery (and tunnel path MTU discovery), if you're running a recent version you might actually see decent results.

M.

New Member

Tunnel IPSEC GRE problem

Where path MTU discovery must be placed? Only on interface tunnel? I ve configured it and it doesn't work...

Cisco Employee

Tunnel IPSEC GRE problem

Albert,

Saying "it" doesn't work is of no help :-)

As I said, it's time to take a sniffer trace ideally on both sides to compare what's going on, don't guess what you're fixing - diagnose it.

M.

Tunnel IPSEC GRE problem

Albert,

Indeed we need to run a packet-sniffer to look for any abnormal behaviour when people try to access the HTTP sites.

You need to find if there is any fragmentation issues, TCP loss-packets, among others... Thats why Marcin suggested to collect that information and based on your findings, proceed accordingly.

Thanks.

New Member

Tunnel IPSEC GRE problem

Hello Marcin, Javier.

First of all, sorry for poor information I gave you to help me.

I thing that problem is solved, but I will need your help to close the issue...

The problem was that in tunnel interface Cisco Configuration Professional configured no ip unreachebles in all interfaces.

When I tried to do a ping for example 1410 bytes (without -f option), the ping didn't arrive to destination. It was like a filter...

Now, with ip unreacheables enabled all works fine, but I need to now why with no unreachebles the ping doesn't arrive to destination...if I had forced MTU in tunel interface...

And now the ping maximum data ping I can send through interface is 1392.

1392+ICMP(28)=1420 (IP MTU)

If packets needs too IPSEC header, the packet always will be fragmented...

I have no configured ip tcp adjust-mss 1380.

Do you thing it's necessary configure it?

Thanks a lot for your help!!!

Re: Tunnel IPSEC GRE problem

Dear Albert,

I am glad to hear that.

When it comes to GRE/IPsec we usually recommend 1380, please check the link below for a better understanding:

Avoiding IP Fragmentation: What TCP MSS Does and How It Works

http://tools.cisco.com/squish/94FF2

Thanks

Please rate any post you find helpful.

New Member

Tunnel IPSEC GRE problem

Hello.

I've configured in the tunnel interface

ip mtu 1420

ip tcp adjust-mss 1380

tunnel path-mtu-discovery

Are necessary all these commands? If I configure manually mtu it's necessary the mtu discovery?

tcp adjust always is go with ip mtu?

These are my lasts questions about this issue...

Thanks a lot!

Albert.

Tunnel IPSEC GRE problem

Dear Albert,

Since you already know what the allowed MTU size is then you can do the math and define it manually on the Router.

Indeed the TCP MSS must be proportional to the MTU size in order to avoid fragmentation.

Thanks.

1619
Views
11
Helpful
10
Replies