https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057863#M1001912 <P>Any links/insight into IP MTU issues in an MS environment with Cisco Routing IOS VPN GRE/IPSEC Tunnels</P><P></P><P>Thanks,</P><P>Bob</P><P></P> Fri, 21 Feb 2020 11:00:09 GMT bob.forster 2020-02-21T11:00:09Z https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057863#M1001912 <P>Any links/insight into IP MTU issues in an MS environment with Cisco Routing IOS VPN GRE/IPSEC Tunnels</P><P></P><P>Thanks,</P><P>Bob</P><P></P> Fri, 21 Feb 2020 11:00:09 GMT https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057863#M1001912 bob.forster 2020-02-21T11:00:09Z https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057864#M1001913 <HTML><HEAD></HEAD><BODY><P>Bob,</P><P></P><P>There are some MTU and TCP MSS issues associated with GRE tunnels. Generally it is associated with web browsing and file shares. Here are a few guides to help you out for your install.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml</A></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml</A></P><P></P><P>HTH,</P><P>Mark</P></BODY></HTML> Wed, 10 Sep 2008 21:01:05 GMT https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057864#M1001913 Mark Yeates 2008-09-10T21:01:05Z https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057865#M1001914 <HTML><HEAD></HEAD><BODY><P>adjust your tunnel interface mtu size to 1420 and issue the command ip tcp adjust-mss 1380. </P><P></P></BODY></HTML> Fri, 12 Sep 2008 16:57:09 GMT https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057865#M1001914 leej 2008-09-12T16:57:09Z https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057866#M1001915 <HTML><HEAD></HEAD><BODY><P>Yeah, that's what I typically do IP MTU 1420 on the outside interface (which forces all VPN Tunnels to 1396) and then IP TCP MSS 1270.</P><P></P><P>Works for over 100 tunnels I have with other clients, but this client still sees some Group Policy issues. </P><P>We are looking at doing IP MTU right on the client Registry Keys and this seems to clear up ALL issues (With Routers set to NO IP MTU on Outside physical interface, IP MTU 1400 on Tunnels and TCP MSS 1270 on Inside interface)</P><P></P><P>Thanks for the input.</P><P></P><P>Bob</P><P></P></BODY></HTML> Fri, 12 Sep 2008 20:57:27 GMT https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057866#M1001915 bob.forster 2008-09-12T20:57:27Z https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057867#M1001916 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>we've had a problem with w2k3 servers and GRE tunnels, where the servers would start to ignore the ICMP packet too big messages from the routers after a little while, causing TCP sessions to fail. </P><P></P><P>info on the bug is here: <A class="jive-link-custom" href="http://support.microsoft.com/kb/898060/" target="_blank">http://support.microsoft.com/kb/898060/</A> </P><P></P><P>setting the mtu in the registry to an approipiate value, or installing the patch / service pack in the link will fix that issue.</P><P></P><P>Cheers.</P></BODY></HTML> Sun, 14 Sep 2008 22:47:18 GMT https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057867#M1001916 jonesandrew 2008-09-14T22:47:18Z https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057868#M1001917 <HTML><HEAD></HEAD><BODY><P>We had issues with the MTU of the GRE tunnel with users accessing an Exchange server. We had to bump the MTU of the tunnel up to 1600 to account for the MTU plus the 24-byte GRE overhead.</P><P></P><P>See this link on CCO:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml</A></P><P></P><P>There is more detailed info at:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml</A></P><P></P><P></P><P></P></BODY></HTML> Thu, 25 Sep 2008 13:11:00 GMT https://community.cisco.com/t5/network-security/ip-mtu-issues-across-gre-ipsec-tunnels/m-p/1057868#M1001917 rmalloy 2008-09-25T13:11:00Z