Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE Tunnel + IPSEC Fragmentation Question

A client of ours has Cisco 1811's on each side of a Metro E link.  I don't have access to them, but had the client dump some of the output.  I'm seeing a tunnel interface setup on each router running GRE.  The default route to each site points to the IP on the other end of the tunnel interface.  Then, they're also running IPSEC on the WAN (Ethernet) interface.  I believe that they're likely running into the fragmentation scenario explained in this doc:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#t16

Scenario 9

Example of the tunnel interface config:

nterface Tunnel0
ip address 1.1.1.1 255.255.255.0
ip tcp adjust-mss 1200
tunnel source FastEthernet1
tunnel destination x.x.x.x

tunnel bandwidth transmit 1000
tunnel bandwidth receive 1000

Example of WAN interface:

interface FastEthernet1
ip address x.xx.x. 255.255.255.192
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1

I had the client do a 'show tunnel 0' and I confirmed that it's a GRE tunnel and the MTU is 1476:

XX1811#show int tunnel 0

Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transport MTU 1476 bytes

I assume the WAN interface MTU is 1500 since it's Ethernet.

I'm just looking to get confirmation that fragmentation (and especially Scenario 9) could be an issue here that could affect performance between the 2 sites.

1 REPLY
Cisco Employee

Re: GRE Tunnel + IPSEC Fragmentation Question

Hi Jordan,

if you are looking to confirm that there is fragmentation and/or reassembly, you can check the output of 'sh ip traf | inc frag|reas' .

HTH,

Bert

178
Views
0
Helpful
1
Replies
CreatePlease login to create content