GRE over IPSEC

We have 2 sites (Site A and Site B) connected with an GRE over IPSEC tunnel. When we first setup the tunnel, site B could not access internet from site A. We adjusted the MTU size from 1500 to 1524 (IP MTU 1524) on the tunnel interface (tunnel1) and now internet works correctly for users in site B however we are experiecing performance issues which I believe are caused by fragmentation.
I have been doing some research on the issue and how to avoid it and I have seen some recommendations pf applying an MSS of 1300 (ip tcp adjust-mss 1300).
My questions are:

If we setup the mss, should I remove the IP MTU 1524 statements from the tunnel interface on both routers? What interface/s would I apply it to? LAN, WAN (tunnel or physical interface?), both? I am guessing I would do the same for both ends?

Any other recommendations anyone might have in regards og GRE over IPSEC?

Thanks in advance
LVL 3
troubleshooter141Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

troubleshooter141Author Commented:
The topology is:

Router B---(GRE OVER IPSEC)-----Router A-------- Core switch------------Firewall----------Internet
0
Craig BeckCommented:
You shouldn't be using an MTU over 1500, especially via IPSec.  I'd try reducing the MTU to something like 1452, and reduce the MSS value to 1412 or lower.
0
troubleshooter141Author Commented:
I agree.... I had the MTU down to 1400 but then internet does not work accross the GRE tunnel which is why it was increased to over 1500 for it to work. I believe the ICMP type 3 code 4 is not making it to the remote end but haven't found where it is blocked yet.
I have not set up any mss yet, I was trying to get some answers first to make sure that is the correct thing to do and what are the best practices.

Thanks
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Craig BeckCommented:
Do you have PMTUD enabled?

This might be an interesting read if you're looking for reasons as to why it might not be working...

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
0
Soulja53 6F 75 6C 6A 61 Commented:
In the past I have always been successful with

ip mtu 1412
ip tcp adjust-mss 1360

and yes, you want both settings on your tunnel interface.  

Now that I think about it. I was using DMVPN so, you may want to adjust each a little higher.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
troubleshooter141Author Commented:
PMTUD is not enabled that I can tell.... I had already seen the document for which you posted a link of but I went ahead a read it again.

On the list of options it seems like the fix we applied was the least desirable:

The following list begins with the most desirable solution.

Fix the problem with PMTUD not working, which is usually caused by a router or firewall blocking ICMP.


Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.


Use policy routing on the ingress interface of the router and configure a route map to clear the DF bit in the data IP header before it gets to the GRE tunnel interface. This will allow the data IP packet to be fragmented before GRE encapsulation.


Increase the "ip mtu" on the GRE tunnel interface to be equal to the outbound interface MTU. This will allow the data IP packet to be GRE encapsulated without fragmenting it first. The GRE packet will then be IPsec encrypted and then fragmented to go out the physical outbound interface. In this case you would not configure tunnel path-mtu-discovery command on the GRE tunnel interface. This can dramatically reduce the throughput because IP packet reassembly on the IPsec peer is done in process-switching mode.

I'll start brom the most desirable and work my way dow if the 1st option does not fix the problem and I can't figure out where ICMP is being blocked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.