Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
2
Replies

Ping sweep fails on specific small range MTU across GRE/IPSec tunnel

fsebera
Level 4
Level 4

‎12-13-2019 06:41 AM - edited ‎12-13-2019 06:43 AM

Extended ping sweep to remote end of GRE/IPSec tunnel df-bit set, mtu sizes 731-746 fail across WAN.

mtu sizes 64 - 730 work

mtu sizes 747 -1496 work

Same results from either side of the connection.

 

If I ping sweep my remote router physical interface with df-bit set, mtu sizes 64 - 1496 - results successful.

Our edge routers sub-interfaces have ip mtu 1496 set and the tunnel interface shows the ip mtu of 1476.

The end-results is our web applications fail.

Is there some reason -obvious or not -why pinging the non-tunnel address across the wan works while the tunnel addresses fail?

Communication across backup wan works.

Thanks

Frank

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-13-2019 07:34 PM

Hello @fsebera ,

nice to see you again in the forums.

 

let us recap your findings:

>>

Extended ping sweep to remote end of GRE/IPSec tunnel df-bit set, mtu sizes 731-746 fail across WAN.

mtu sizes 64 - 730 work

mtu sizes 747 -1496 work

Same results from either side of the connection.

 

If I ping sweep my remote router physical interface with df-bit set, mtu sizes 64 - 1496 - results successful.

Our edge routers sub-interfaces have ip mtu 1496 set and the tunnel interface shows the ip mtu of 1476.

The end-results is our web applications fail.

Is there some reason -obvious or not -why pinging the non-tunnel address across the wan works while the tunnel addresses fail?

Communication across backup wan works.

>>>>>>>>

Extended ping sweep to remote end of GRE/IPSec tunnel df-bit set, mtu sizes 731-746 fail across WAN.

mtu sizes 64 - 730 work

mtu sizes 747 -1496 work

 

I have few questions for you Frank,

 

what exactly type of GRE over IPSec are you using ?

 

I mean we know GRE header is 24 bytes I can guess your WAN interface is a Vlan based subif because of ip mtu 1496 (4 bytes used by 802.1Q IEEE Vlan tag)

Do you use both AH and ESP ?

Are you in tunnel mode ?

what kind of HMAC and ESP encryption are you using ?

 

payload DF should be copied to outer GRE header and then it should be copied to the more external IPSec header if using AH.

 

@fsebera may you provide more details on your network environment in order to get better help ?

 

Ciao Frank Merry Xmas and Happy New Year

 

Hope to help

Giuseppe

 

 

 

0 Helpful

fsebera
Level 4
Level 4
In response to Giuseppe Larosa

‎12-16-2019 06:39 AM

Hi Giuseppe,

 

Seems here, I only get the strange issues .... :-|

 

We are running IPSec over GRE (sorry for any confusion). No AH, just standard ESP with point-to-point tunnels.

As the PE, we strip any DF parameters from all pre-frag packets we receive from our business partners and it appears our WAN SPs drop any of our CE packets over 14~~ bytes or so- this is normal and acceptable.  Our business partners do a great job of ensuring their packets don't need to be chopped.

 

We are attempting to determine if the WAN SP boxes have an OS bug or just a piss-poor miss-configuration.

 

Thanks and Happy Holidays to you too!!

Frank

0 Helpful
Customers Also Viewed These Support Documents