I have an mGRE tunnel configured between 6504 switches ( running IOS12.2(18)SXF7). The two switchs are at remote sites with an IPSec tunnel connecting the 2 sites.
My issue is that I am seeing Output drops on the Tunnel interface, which is usually associated with failed network connection or data transfers. While the load level on the interface looks to be pretty minimal. This looks to be leading to lost connections during large data transfers and application connections that tend to send large data packets.
I have tried setting the MTU size to 1400 on the Tunnel interface and the next hop equipment just in case it is an issue with GRE tunnel packet fragmentation but it has not seems to make a difference. I have also increased teh Hold-Queue with out any affect.
This only seems to be a problem with connections that are sending large data packets.
The interfaces\ports used for the link between the switch and the IPSec tunnel device are set to be routeed ports (as opposed to switch ports).
The Tunnel interface config is below, this is the hub mGRE interface:
check for the cable issues and also the speed and duplex configuration on interfaces where the ends of cable are connected as the issue happens during large data transfer.The speed and duplex configs should be the same.High cpu usage can also cause this issue.Altering MTU can also be a fix.
Try applying the ip tcp adjust-mss 1436 command under the GRE interface at both ends. What this does is allow each side to advertise (not negotiate) the maximum size of the data portion of the TCP segment that each will accept.
And then change the ip mtu setting under the GRE interface at both ends to 1500.
These numbers aren't arbitrary. If you add the TCP header of 20 bytes and the IP header of 20 bytes, plus the GRE header overhead of 24 bytes to the TCP segment size of 1436, the resulting IP datagram will be 1500 bytes in length.
Apply these numbers and come back and tell us if the problem has gotten any better.
Unfortunately that command is not supported on an mGRE tunnel using DMVPN.
I have found the source of the issue though. There is an ACL that is applied at a different location that is limiting access to the source system to only TCP established traffic. Whe the source tries to send a packet that is larger than the IP MTU setting, the switch at the source of the GRE tunnel issues an ICMP request to the source system requesting a smaller MTU. since the ICMP paket is getting blocked, then initial connections ends up failing.
Once the ACL is adjusted to allow the ICMP request to pass, the connection begins to work using a smaller MTU.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...