Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN?

                   Hello Community,

When I test my branch lines for MTU, I get my PING sweeps up to the MTU then the PINGs fail. Why do I not get an MMMM for Could Not Fragment?

Is it something to do with IPSEC or is something not working?

Thanks,

Paul

eg

Packet sent with the DF bit set

!!!!!!!!!!!!!!!!!!!!.........

6 REPLIES
New Member

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN

Are ICMP unreachables enabled on the interface in question? (show ip int xxxx | inc unreach)

Although if you are testing this from a router which already knows it is going to be a too big MTU on the VPN interface it's not going to send an ICMP unreachable to itself so you would want to test it from another device back in the path (e.g. behind the VPN device)

New Member

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN

If I use ping from a Windows box on the LAN it also just times out. Except if the packet size is over the outgoing interface MTU eg 1472.

So a ping of 1474bytes from the LAN gets PACKET NEEDS TO BE FRAGMENTED BUT DF BIT SET, but lower than that just times out, all the way down to when packets are smaller than the MTU ie 1310 from the LAN.

1310 + 28 (IP + ICMP)= 1338 + IP + GRE + IPSEC = 1338 + 20 + 4 + 56 = 1418 which is spot on since the TUNNEL mtu is 1420

But it's that middle area that shows the Timeout that is a problem. On the router, I would expect the Could Not Fragment response?

New Member

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN

Makes sense - what version and platform is this?

New Member

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN

This result is seen on all my routers. 1841, 1941, 1921, 887. Using either IOS 12.4-24 or 15.1

The network is a hub&spoke setup with all branch spokes connected using IPSEC VPN over GRE tunnels.

Thanks

New Member

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN

So to summarise:

x<1310 = Succeed

13111472 = Timeout

x>1473 = ICMP Unreachable (Packet needs to be fragmented)

Maybe it's something like 'no ip unreachables' on the Tunnel interface? 'show ip int tunnelX' to confirm

New Member

Re: Why do my PING sweeps end !!...... and not !!MMMM over IPSEC

Nearly.

X less than or equal 1311 = success

13121472 = Timeout

X>1472 = ICMP Unreachable (Packet needs to be fragmented)

All Tunnels are ICMP Unreachables are always sent.

This is inherited from the interface the Tunnels are built on as far as I know. This is the same at both ends.

373
Views
9
Helpful
6
Replies