troubleshooter141
asked on
GRE over IPSEC
We have 2 sites (Site A and Site B) connected with an GRE over IPSEC tunnel. When we first setup the tunnel, site B could not access internet from site A. We adjusted the MTU size from 1500 to 1524 (IP MTU 1524) on the tunnel interface (tunnel1) and now internet works correctly for users in site B however we are experiecing performance issues which I believe are caused by fragmentation.
I have been doing some research on the issue and how to avoid it and I have seen some recommendations pf applying an MSS of 1300 (ip tcp adjust-mss 1300).
My questions are:
If we setup the mss, should I remove the IP MTU 1524 statements from the tunnel interface on both routers? What interface/s would I apply it to? LAN, WAN (tunnel or physical interface?), both? I am guessing I would do the same for both ends?
Any other recommendations anyone might have in regards og GRE over IPSEC?
Thanks in advance
I have been doing some research on the issue and how to avoid it and I have seen some recommendations pf applying an MSS of 1300 (ip tcp adjust-mss 1300).
My questions are:
If we setup the mss, should I remove the IP MTU 1524 statements from the tunnel interface on both routers? What interface/s would I apply it to? LAN, WAN (tunnel or physical interface?), both? I am guessing I would do the same for both ends?
Any other recommendations anyone might have in regards og GRE over IPSEC?
Thanks in advance
You shouldn't be using an MTU over 1500, especially via IPSec. I'd try reducing the MTU to something like 1452, and reduce the MSS value to 1412 or lower.
ASKER
I agree.... I had the MTU down to 1400 but then internet does not work accross the GRE tunnel which is why it was increased to over 1500 for it to work. I believe the ICMP type 3 code 4 is not making it to the remote end but haven't found where it is blocked yet.
I have not set up any mss yet, I was trying to get some answers first to make sure that is the correct thing to do and what are the best practices.
Thanks
I have not set up any mss yet, I was trying to get some answers first to make sure that is the correct thing to do and what are the best practices.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PMTUD is not enabled that I can tell.... I had already seen the document for which you posted a link of but I went ahead a read it again.
On the list of options it seems like the fix we applied was the least desirable:
The following list begins with the most desirable solution.
•
Fix the problem with PMTUD not working, which is usually caused by a router or firewall blocking ICMP.
•
Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.
•
Use policy routing on the ingress interface of the router and configure a route map to clear the DF bit in the data IP header before it gets to the GRE tunnel interface. This will allow the data IP packet to be fragmented before GRE encapsulation.
•
Increase the "ip mtu" on the GRE tunnel interface to be equal to the outbound interface MTU. This will allow the data IP packet to be GRE encapsulated without fragmenting it first. The GRE packet will then be IPsec encrypted and then fragmented to go out the physical outbound interface. In this case you would not configure tunnel path-mtu-discovery command on the GRE tunnel interface. This can dramatically reduce the throughput because IP packet reassembly on the IPsec peer is done in process-switching mode.
I'll start brom the most desirable and work my way dow if the 1st option does not fix the problem and I can't figure out where ICMP is being blocked.
On the list of options it seems like the fix we applied was the least desirable:
The following list begins with the most desirable solution.
•
Fix the problem with PMTUD not working, which is usually caused by a router or firewall blocking ICMP.
•
Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.
•
Use policy routing on the ingress interface of the router and configure a route map to clear the DF bit in the data IP header before it gets to the GRE tunnel interface. This will allow the data IP packet to be fragmented before GRE encapsulation.
•
Increase the "ip mtu" on the GRE tunnel interface to be equal to the outbound interface MTU. This will allow the data IP packet to be GRE encapsulated without fragmenting it first. The GRE packet will then be IPsec encrypted and then fragmented to go out the physical outbound interface. In this case you would not configure tunnel path-mtu-discovery command on the GRE tunnel interface. This can dramatically reduce the throughput because IP packet reassembly on the IPsec peer is done in process-switching mode.
I'll start brom the most desirable and work my way dow if the 1st option does not fix the problem and I can't figure out where ICMP is being blocked.
ASKER
Router B---(GRE OVER IPSEC)-----Router A-------- Core switch------------Firewall