[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Help with mtu issue on an ipsec gre tunnel

Posted on 2009-05-11
2
Medium Priority
?
874 Views
Last Modified: 2012-05-06
Dear expert I am having a problem with mtu. spoke is setup with an ipsec gre tunnel using ospf. User are not able to access the internet or internal application. user are able to ping to the internet, ping to internal ip's. I all had configured ip nut 1300 under the tunnel interface and ip tcp adjust-mss 1300 under lan interface ofice had work for afew hrs but went back down. Any idea what to try will help
0
Comment
Question by:rcollie
  • 2
2 Comments
 
LVL 10

Accepted Solution

by:
lanboyo earned 1500 total points
ID: 24360325
So the GRE is encrypted within a ipsec tunnel mode encryption session?

You will need the ip tcp adjust MTU on both sides of the link, so on the hub router internal links as well. Also, the MTU on the GRE most likely should be 1435, or somthing like that.

Is internet access proxied at the hub? PMTU may be causing an issue...

Troubleshoot with pings with the df bit set at various packet sizes to the application servers and the proxy server.

The extreme solution is hard setting the MTU of the workstations and application servers to 1300.





0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24360361
Make sure there are no PMTU issues...

do a series of ping commands with the do not fragment (DF) bit set.

  ping -f -l PACKET_SIZE  SERVER

Where PACKET_SIZE is the data size of the ping and SERVER is the IP of the server with the shares.

You should look for a gap in packet sizes between when you get ping replies and when you get the message :

Packet needs to be fragmented but DF set.

This error message is not a problem. The problem is no response at all.

If you have a gap then you have a bit of a blackhole where certain packet sizes can not traverse the network AND icmp can not fragment messages do not return. If you have no problems from the client to server do the same thing server to client.


Also, tcp mss command only works for TCP. For UDP I have had to delete the DF bit with a route map. Note to microsoft: Honestly, just send the packets at 1500 bytes and let the network handle fragments.

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question