Is this Cisco router programing right?

I have been having a problem with  a GRE tunnel. It is making my MTU 1476.  I was told by a number of sources that enabling ICMP to re-negotiate the MTU size will do the trick. These are the lines I entered into the router. Are they right?

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 deny icmp any any

All commands were accepted.
LVL 39
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yes it;s correct ...
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

ChiefITAuthor Commented:

The only problem with the Tunneling interface is I don't have control of it.

Here is how the network topology looks like:

My LAN>>satellite connection>>NOC1 router for a large WAN>>((GRE TUNNEL))>>Headquarters NOC>>WWW

I am good on the WAN side of NOC1, with everything set at 1500, going through to headquarters and the WWW is giving me fits. So, I did an MTU ping to, and it came back as

packet to large and DF is set.

I would love to control those Tunnel interfaces. Then, I would make the MTU size on those interfaces 1524, and no problems from there on out for the entire WAN.

For my case, I beleive I have to allow ICMP to renegotiate the MTU window for me until our two NOCs figure it out and come up with a fix on that GRE tunnel.

Do you have any other suggestions. I could call the Chief Information Officer and have him look into our Tunnel adapters.

ChiefITAuthor Commented:

I don't quite understand the last line:

"access-list 101 deny icmp any any"

Why deny it after you just permitted it in the lines above?

ICMP has a lot of parameters check this ACL:

access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable  

So, when you deny ICMP any any at the end that means anything else after permitting the first parameters
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big

will be discard ..

that's why

ChiefITAuthor Commented:
I am in contact with the two NOCs to see if they will raise the Tunneling router's Maximum Segment size. I really appreciate your help. For now, the ICMP edits did the trick.

For the rest of the WAN, they are going to have problems. So, I am going to escolate this to the NOC level.

Thanks you guys, you have been a huge help all the way through this ordeal. For a bonehead at Cisco Routing, I sure appreciated your help.

ChiefITAuthor Commented:
Exactly what I was looking for.  Thanks, for alternative options ikalmar.

Thanks for verification and answering my concerns about the ICMP lines memo.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.