MTU Problem on GRE Tunnel

thomas.feichter · ‎04-27-2007

Hi,

I have a Internet Connection with ISDN Backup.

On the primary Link I have a GRE Tunnel to a Cisco 3662, which also terminates the ISDN BAckup in case of primary Link failure..

The customer have a IPSec Tunnel to 2 remote offices. The VPN to the Linux FW works fine.

On the VPN to a MS-ISA Server, some protocols do not pass (RDP, Sql).

This must be an MTU issue, because if its active the BAckup, the protocols will pass.

I can manage only the CPE 1721 and the 3662.

On all Interfaces of the CPE (1721) I have configured the following:

ip tcp adjust-mss 1300

So my question? What can be done at the ISA-Server to solve this problem?

Is there any possibility to resolve this problem without configuring the remiote Routers/Firewalls?

Regards and Thanks

Thomas

royalblues · ‎04-27-2007

Thomas,

GRE tunnel adds a 24 byte header and hence its recommended to adjust the MSS (maximum segemnt size) when you have problems

ip tcp-adjust mss 1476

Check out this link

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

HTH, rate if it does

Narayan

thomas.feichter · ‎05-01-2007

Hi,

I have set the MTU on the Tunnel INterfaces to 1500.

Now it works.

Thanks and regards

Thomas

bbaillie · ‎04-27-2007

The configuration and reasons why from a Cisco perspective are here.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

If you want to correct the problem at the ISA server ( you are correct this is an MTU issue) there are two ways. First way is to enable Path MTU discovery and Black Hole detection at the same time. Without Black Hole detection the PMTUD will fail due to "no ip unreachables" being enabled on router interfaces and the server never knows its packets are too big thus creating black holing.

http://support.microsoft.com/kb/314053

Or you can drop the MTU of the LAN card that faces your internal network on the ISA server to 1300 Decimal, not HEX. This is done at the LAN interface in the registry (your LAN card driver GUI configuration may also provide this ability).

Either solution will work so do the one you prefer.

Cheers,

Brian

kerek · ‎05-02-2007

Hi,

It is definitely an MTU problem and it cannot be solved with tcp adjust-mss since the IPSEC uses UDP as transport protocol and the pmtu discovery and altering the tcp mss won't help.

Here is a link help to understand the GRE MTU.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

I think you have to alter the mtu on the tunnel interface. The reason why it is working fine with ISDN is there is no other protocol overhead opposed to GRE. It is also important thing whether the primary Internet connection is through DSL or leased line because in case of ADSL you have to count with the pppoe overhead too. Another way is to try to lower the MTU on the ISA and the firewall. I also had similar problem but through pppoe instead of GRE and after thought it over (and read a lot :)) I was able to find the correct MTU where it is working.

mohammedmahmoud · ‎05-02-2007

Hi,

I will add my voice to Brian, you can change the MTU on the ISA server:

MTU

Key: Tcpip\Parameters\Interfaces\ID for Adapter

Value Type: REG_DWORD Number

Valid Range: 68 - the MTU of the underlying network

Default: 0xFFFFFFFF

Description: This parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum packet size in bytes that the transport transmits over the underlying network. The size includes the transport header. An IP datagram can span multiple packets. Values larger than the default value for the underlying network cause the transport to use the network default MTU. Values smaller than 68 cause the transport to use an MTU of 68.

http://support.microsoft.com/kb/314053

HTH, please rate if it does help,

Mohammed Mahmoud.