Solved

Help with mtu issue on an ipsec gre tunnel

Posted on 2009-05-11
2
865 Views
Last Modified: 2012-05-06
Dear expert I am having a problem with mtu. spoke is setup with an ipsec gre tunnel using ospf. User are not able to access the internet or internal application. user are able to ping to the internet, ping to internal ip's. I all had configured ip nut 1300 under the tunnel interface and ip tcp adjust-mss 1300 under lan interface ofice had work for afew hrs but went back down. Any idea what to try will help
0
Comment
Question by:rcollie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 10

Accepted Solution

by:
lanboyo earned 500 total points
ID: 24360325
So the GRE is encrypted within a ipsec tunnel mode encryption session?

You will need the ip tcp adjust MTU on both sides of the link, so on the hub router internal links as well. Also, the MTU on the GRE most likely should be 1435, or somthing like that.

Is internet access proxied at the hub? PMTU may be causing an issue...

Troubleshoot with pings with the df bit set at various packet sizes to the application servers and the proxy server.

The extreme solution is hard setting the MTU of the workstations and application servers to 1300.





0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24360361
Make sure there are no PMTU issues...

do a series of ping commands with the do not fragment (DF) bit set.

  ping -f -l PACKET_SIZE  SERVER

Where PACKET_SIZE is the data size of the ping and SERVER is the IP of the server with the shares.

You should look for a gap in packet sizes between when you get ping replies and when you get the message :

Packet needs to be fragmented but DF set.

This error message is not a problem. The problem is no response at all.

If you have a gap then you have a bit of a blackhole where certain packet sizes can not traverse the network AND icmp can not fragment messages do not return. If you have no problems from the client to server do the same thing server to client.


Also, tcp mss command only works for TCP. For UDP I have had to delete the DF bit with a route map. Note to microsoft: Honestly, just send the packets at 1500 bytes and let the network handle fragments.

0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question