cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
376
Views
3
Helpful
2
Replies

MTU Problem with GRE Tunnel

b.shoresh
Level 1
Level 1

Hello.

I have a cisco800 connected with adsl to cisco 3600, which is connected to a 7500 with Ethernet.

I have configured a GRE Tunnel between the 800 and the 7500. The 7500 is connected to the Internet by crossing a FW.

When trying to connect with https to secured web sites from a workstation on the 800's LAN, we get nothing. I've put a sniffer between the 7500 and the FW, and saw that there are https frames with length of 1514 (and this is before the GRE header is added) and with the "dont fragment" bit set. So my guess is that with the GRE header the frame is too big (giant).

When connecting to non-secured sites everything works fine, and the sniffer shows smaller frames and that the dont fragment bit is set to "may fragment".

1) Can I configure the routers to support giant frames ? If yes, do I also need to configure something on the ethernet switch ?

2) Can I change the dont fragment bit ?

Thank you.

Boaz.

2 Replies 2

thisisshanky
Level 11
Level 11

Hi,

The problem is that, when clients connect to the Https web server, they both agree on the MTU size and the smallest supported among the 2 will be negotiated. Suppose each of them negotiate it to 1514, (for ethernet), when they sent the packets, they do set the DF bit.

Now, the 800 router cannot fragment the frames. Also the tunnel interface has a MTU which is 24 bytes less than the real MTU on the outgoing interface. That mean the MTU of the frame can be 1490 , above which the frame cannot be sent, without fragmenting.

WHen this situation arises, the router will send an ICMP message saying the following,

ICMP: dst (x.x.x.x) frag. needed and DF set unreachable sent to x.x.x.x

Usually ICMP could be blocked (not necessary in your network) but on the way. So this ICMP message would never reach the webserver. This ICMP message notifies the HTTPS server, to adjust the MTU size, appropriately.

Solutions:

1. Try to find out, where ICMP messages are getting blocked. This is not a very reliable solution

2. A good solution would be to use a PRoxy device between your 3600 and 7500 (if both are connected via lan), and let the proxy device initiate all outgoing web connections. for this you will have to terminate the GRE tunnel at the 3600, rather than at the 7500, as 7500 is your internet gateway.

3. Try to set the client machines, MTU sizes to a smaller value so that packets can pass without fragmentation. But this might be a tedious job to do if lot of PCs are there.

4. I dont think the adsl interfaces can have a MTU size over 1514 bytes. If yes, you might want to set the MTU on the interfaces

For your question regarding Changing the DF bit,

Use policy routing using route-maps.

interface fa0/0

ip policy route-map ClearDFbit

route-map ClearDFbit permit 10

match ip address 199

set ip df 0

access-list 199 permit tcp any any

Hope this helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

dtheodoridis
Level 1
Level 1

Take a look at http://www.cisco.com/warp/public/105/56.html. I had the same problem and finally Iinstall a proxy.

Review Cisco Networking for a $25 gift card