Solved

Help with mtu issue on an ipsec gre tunnel

Posted on 2009-05-11
2
871 Views
Last Modified: 2012-05-06
Dear expert I am having a problem with mtu. spoke is setup with an ipsec gre tunnel using ospf. User are not able to access the internet or internal application. user are able to ping to the internet, ping to internal ip's. I all had configured ip nut 1300 under the tunnel interface and ip tcp adjust-mss 1300 under lan interface ofice had work for afew hrs but went back down. Any idea what to try will help
0
Comment
Question by:rcollie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 10

Accepted Solution

by:
lanboyo earned 500 total points
ID: 24360325
So the GRE is encrypted within a ipsec tunnel mode encryption session?

You will need the ip tcp adjust MTU on both sides of the link, so on the hub router internal links as well. Also, the MTU on the GRE most likely should be 1435, or somthing like that.

Is internet access proxied at the hub? PMTU may be causing an issue...

Troubleshoot with pings with the df bit set at various packet sizes to the application servers and the proxy server.

The extreme solution is hard setting the MTU of the workstations and application servers to 1300.





0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24360361
Make sure there are no PMTU issues...

do a series of ping commands with the do not fragment (DF) bit set.

  ping -f -l PACKET_SIZE  SERVER

Where PACKET_SIZE is the data size of the ping and SERVER is the IP of the server with the shares.

You should look for a gap in packet sizes between when you get ping replies and when you get the message :

Packet needs to be fragmented but DF set.

This error message is not a problem. The problem is no response at all.

If you have a gap then you have a bit of a blackhole where certain packet sizes can not traverse the network AND icmp can not fragment messages do not return. If you have no problems from the client to server do the same thing server to client.


Also, tcp mss command only works for TCP. For UDP I have had to delete the DF bit with a route map. Note to microsoft: Honestly, just send the packets at 1500 bytes and let the network handle fragments.

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 7 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question