Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
1
Replies

Advice required on optimal MTU and MSS settings for GRE and IPSEC connections

mitchen
Level 2
Level 2

‎04-02-2015 03:01 AM - edited ‎03-05-2019 01:09 AM

Hi,

We have 2 remote sites (Site A and Site B) which connect to our datacentres (DC) over IPSEC VPN and connect to each other over GRE tunnels.

We had some issues recently which we believe were MTU/MSS related (browsing web servers at one location not appearing correctly etc)

We got some advice from our Cisco partner and tweaked some settings but I'm still not convinced we have the optimal configuration - and we still have some problems I suspect may be MTU related.  For example, from our DC (connected to Site A by IPSEC), we CANNOT browse to the webpage of the phone system hosted at Site A.  Yet, we CAN browse to the webpage of the Site A phone system from Site B (connected over GRE)

 

Site A and Site B have two WAN internet circuits each - and each provider presents their circuit to us as ethernet.

 

Here are the relevant interface settings showing the currently configured MTU and MSS (both routers are configured the same way)

 

Can someone advise on what the optimal settings should be for our MTU and MSS values on the various interfaces or how we might best determine the values?

 

!
interface Tunnel1
description *** GRE Tunnel 1 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
!
interface Tunnel2
description *** GRE Tunnel2 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
!
interface GigabitEthernet0/0
description "WAN Connection to Provider1"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
crypto map cryptomap
!
interface GigabitEthernet0/1
description "Connection to LAN"
no ip address
ip flow ingress
ip flow egress
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description DATA VLAN
encapsulation dot1Q 20
ip address [removed]
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
!
interface GigabitEthernet0/1.2
description VOICE VLAN
encapsulation dot1Q 25
ip address [removed]
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
!
interface GigabitEthernet0/2
description "Connection to Provider2"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
duplex auto
speed auto
crypto map grecrypto
!

 

Thanks.

Labels:
0 Helpful
1 Reply 1

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-03-2015 03:39 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card