We have 2 sites (Site A and Site B) connected with an GRE over IPSEC tunnel. When we first setup the tunnel, site B could not access internet from site A. We adjusted the MTU size from 1500 to 1524 (IP MTU 1524) on the tunnel interface (tunnel1) and now internet works correctly for users in site B however we are experiecing performance issues which I believe are caused by fragmentation.
I have been doing some research on the issue and how to avoid it and I have seen some recommendations pf applying an MSS of 1300 (ip tcp adjust-mss 1300).
My questions are:

If we setup the mss, should I remove the IP MTU 1524 statements from the tunnel interface on both routers? What interface/s would I apply it to? LAN, WAN (tunnel or physical interface?), both? I am guessing I would do the same for both ends?

Any other recommendations anyone might have in regards og GRE over IPSEC?

Thanks in advance
Who is Participating?
SouljaConnect With a Mentor Commented:
In the past I have always been successful with

ip mtu 1412
ip tcp adjust-mss 1360

and yes, you want both settings on your tunnel interface.  

Now that I think about it. I was using DMVPN so, you may want to adjust each a little higher.
troubleshooter141Author Commented:
The topology is:

Router B---(GRE OVER IPSEC)-----Router A-------- Core switch------------Firewall----------Internet
Craig BeckCommented:
You shouldn't be using an MTU over 1500, especially via IPSec.  I'd try reducing the MTU to something like 1452, and reduce the MSS value to 1412 or lower.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

troubleshooter141Author Commented:
I agree.... I had the MTU down to 1400 but then internet does not work accross the GRE tunnel which is why it was increased to over 1500 for it to work. I believe the ICMP type 3 code 4 is not making it to the remote end but haven't found where it is blocked yet.
I have not set up any mss yet, I was trying to get some answers first to make sure that is the correct thing to do and what are the best practices.

Craig BeckConnect With a Mentor Commented:
Do you have PMTUD enabled?

This might be an interesting read if you're looking for reasons as to why it might not be working...
troubleshooter141Author Commented:
PMTUD is not enabled that I can tell.... I had already seen the document for which you posted a link of but I went ahead a read it again.

On the list of options it seems like the fix we applied was the least desirable:

The following list begins with the most desirable solution.

Fix the problem with PMTUD not working, which is usually caused by a router or firewall blocking ICMP.

Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.

Use policy routing on the ingress interface of the router and configure a route map to clear the DF bit in the data IP header before it gets to the GRE tunnel interface. This will allow the data IP packet to be fragmented before GRE encapsulation.

Increase the "ip mtu" on the GRE tunnel interface to be equal to the outbound interface MTU. This will allow the data IP packet to be GRE encapsulated without fragmenting it first. The GRE packet will then be IPsec encrypted and then fragmented to go out the physical outbound interface. In this case you would not configure tunnel path-mtu-discovery command on the GRE tunnel interface. This can dramatically reduce the throughput because IP packet reassembly on the IPsec peer is done in process-switching mode.

I'll start brom the most desirable and work my way dow if the 1st option does not fix the problem and I can't figure out where ICMP is being blocked.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.