Solved

Help with mtu issue on an ipsec gre tunnel

Posted on 2009-05-11
2
860 Views
Last Modified: 2012-05-06
Dear expert I am having a problem with mtu. spoke is setup with an ipsec gre tunnel using ospf. User are not able to access the internet or internal application. user are able to ping to the internet, ping to internal ip's. I all had configured ip nut 1300 under the tunnel interface and ip tcp adjust-mss 1300 under lan interface ofice had work for afew hrs but went back down. Any idea what to try will help
0
Comment
Question by:rcollie
  • 2
2 Comments
 
LVL 10

Accepted Solution

by:
lanboyo earned 500 total points
ID: 24360325
So the GRE is encrypted within a ipsec tunnel mode encryption session?

You will need the ip tcp adjust MTU on both sides of the link, so on the hub router internal links as well. Also, the MTU on the GRE most likely should be 1435, or somthing like that.

Is internet access proxied at the hub? PMTU may be causing an issue...

Troubleshoot with pings with the df bit set at various packet sizes to the application servers and the proxy server.

The extreme solution is hard setting the MTU of the workstations and application servers to 1300.





0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24360361
Make sure there are no PMTU issues...

do a series of ping commands with the do not fragment (DF) bit set.

  ping -f -l PACKET_SIZE  SERVER

Where PACKET_SIZE is the data size of the ping and SERVER is the IP of the server with the shares.

You should look for a gap in packet sizes between when you get ping replies and when you get the message :

Packet needs to be fragmented but DF set.

This error message is not a problem. The problem is no response at all.

If you have a gap then you have a bit of a blackhole where certain packet sizes can not traverse the network AND icmp can not fragment messages do not return. If you have no problems from the client to server do the same thing server to client.


Also, tcp mss command only works for TCP. For UDP I have had to delete the DF bit with a route map. Note to microsoft: Honestly, just send the packets at 1500 bytes and let the network handle fragments.

0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS on-premise and on-cloud 15 123
Eigrp Router 5 74
EIGRP Multicast vs Unicast 7 64
MAC address learning of Riverbed 4 41
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question