Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issues with router after changes to gre tunnel and ikev1 crypto-map

I recently had to make some changes to my network with the physical IPs of an interface. I completely changed the subnet of 2 directly connecting interfaces and all of the corresponding routes along with the a new MTU size of 1400 for VPN overhead (this was higer before which was causing issues). I have done some traceroutes and data seems to flow as desired yet I am having an issue with some websites and another service on my network.

All this seemed to occur after I made the changes to the physical interface that are used for the tunnel. The tunnel IPs have stayed the same and I can successfully ping multiple areas of my network so I don't understand how some websites will load like yahoo.com and then when clicking on an article they just time out. I have used 3 different DNS servers, tried different browsers and around 5 different computers are experiencing the issue. Since the VPN change the router has not been rebooted for over a year. Do you think a reboot would solve this type of issue? Thanks a lot for any help!  -Mark

6 REPLIES
VIP Purple

Issues with router after changes to gre tunnel and ikev1 crypto-

The description still sounds like an MTU-problem. Have you tried to find out the right maximum MTU? You could use a tool like MTUPath for that: http://www.iea-software.com/products/mtupath.cfm

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Issues with router after changes to gre tunnel and ikev1 crypto-

So this issue sounds like a result of MTU size issue to you? I just thought if the MTU size was too small the router would break up the packets.

VIP Purple

Issues with router after changes to gre tunnel and ikev1 crypto-

That depends on the config. The IP-Packets often have the dont-fragment bit set. And by default that is honored by the router unless overwritten in the config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Issues with router after changes to gre tunnel and ikev1 crypto-

I am getting this error with the command, mtupath 10.10.1.1 Any idea what might be the issue? Thanks

[WARNING] Could not confirm contact with peer; path may be incomplete

[WARNING] Route to peer may not be locally reachable

VIP Purple

Issues with router after changes to gre tunnel and ikev1 crypto-

Never had that error, are there any filters on the way to that IP?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Issues with router after changes to gre tunnel and ikev1 cry

No, no filters or ACLs. I made the change back to our old MTU size of 1524 and received this message from the router:

%Warning: IP MTU value set 1524 is greater than the current transport value 1476

, fragmentation may occur.

Someone else also made a change to the DNS server and now the issue seems to have been resolved, so I cannot determine if my MTU change fixed it for his DNS server change. Part of me doesn't believe his DNS change effected anything since I used 3 different public DNS servers with the same time out problem. I might try changing the MTU size back to 1400 or 1476 to view the results. Do you think 1476 is the maximum value I should make the MTU size? Thanks again for your help.

130
Views
0
Helpful
6
Replies