Re: MTU / DF-Bit Problem on GRE-Tunnel

rolf.fischer_2 · ‎01-31-2006

Since a configutation change (routing on a GRE tunnel now) we have the following problem:

Some Websites are not accessible.

We see that the related IP packets have the 'don't fragment' bit set.

A standard ping with big sizes (>1500 bytes) is no problem.

A ping with DF set and 1476 bytes works, 1477 won't work.

I understand that because of the GRE's additional header large packets have to be fragmented but, because of the DF bit, this is not possible.

Configuring an larger mtu on the tunnel-interface is not possible, at least I don't know how.

I think this is a very common problem and there must be a solution.

Can anybody help?

Thanks in advance.

mheusinger · ‎01-31-2006

Hello,

you can instruct the router to intercept TCP session setup and adjust the TCP Max segment size.

ip tcp mss-adjust 1400

would be the command to solve (most of) your problems. Choose a MSS value which finally works (1400 should be ok based on your observations).

Hope this helps! Please rate all posts.

Regards, Martin

lgijssel · ‎01-31-2006

The following URL explains your issue quite detailed:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

Hope this will suffice to solve the issue.

Regards,

Leo

rolf.fischer_2 · ‎01-31-2006

Leo,

thank you very much!

Finally I was able to increase the tunnel's mtu like described in the document.

The other solution (tcp mss) was unfortunately not possible because one of the routers didn't match the IOS-requirements (still 12.1(22), we've to update soon...).

Regards

Rolf