Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
9
Helpful
6
Replies

Why do my PING sweeps end !!...... and not !!MMMM over IPSEC VPN?

Paul Morgan
Level 1
Level 1

‎09-30-2013 06:29 AM - edited ‎03-04-2019 09:11 PM

                   Hello Community,

When I test my branch lines for MTU, I get my PING sweeps up to the MTU then the PINGs fail. Why do I not get an MMMM for Could Not Fragment?

Is it something to do with IPSEC or is something not working?

Thanks,

Paul

eg

Packet sent with the DF bit set

!!!!!!!!!!!!!!!!!!!!.........

1 person had this problem
Labels:
0 Helpful
6 Replies 6

jamie.grive
Level 1
Level 1

‎09-30-2013 06:46 AM

Are ICMP unreachables enabled on the interface in question? (show ip int xxxx | inc unreach)

Although if you are testing this from a router which already knows it is going to be a too big MTU on the VPN interface it's not going to send an ICMP unreachable to itself so you would want to test it from another device back in the path (e.g. behind the VPN device)

Paul Morgan
Level 1
Level 1
In response to jamie.grive

‎09-30-2013 07:22 AM

If I use ping from a Windows box on the LAN it also just times out. Except if the packet size is over the outgoing interface MTU eg 1472.

So a ping of 1474bytes from the LAN gets PACKET NEEDS TO BE FRAGMENTED BUT DF BIT SET, but lower than that just times out, all the way down to when packets are smaller than the MTU ie 1310 from the LAN.

1310 + 28 (IP + ICMP)= 1338 + IP + GRE + IPSEC = 1338 + 20 + 4 + 56 = 1418 which is spot on since the TUNNEL mtu is 1420

But it's that middle area that shows the Timeout that is a problem. On the router, I would expect the Could Not Fragment response?

0 Helpful

jamie.grive
Level 1
Level 1
In response to Paul Morgan

‎10-01-2013 05:10 AM

Makes sense - what version and platform is this?

Paul Morgan
Level 1
Level 1
In response to jamie.grive

‎10-01-2013 05:27 AM

This result is seen on all my routers. 1841, 1941, 1921, 887. Using either IOS 12.4-24 or 15.1

The network is a hub&spoke setup with all branch spokes connected using IPSEC VPN over GRE tunnels.

Thanks

0 Helpful

jamie.grive
Level 1
Level 1
In response to Paul Morgan

‎10-01-2013 06:29 AM

So to summarise:

x<1310 = Succeed

13111472 = Timeout

x>1473 = ICMP Unreachable (Packet needs to be fragmented)

Maybe it's something like 'no ip unreachables' on the Tunnel interface? 'show ip int tunnelX' to confirm

0 Helpful

Paul Morgan
Level 1
Level 1
In response to jamie.grive

‎10-01-2013 07:01 AM

Nearly.

X less than or equal 1311 = success

13121472 = Timeout

X>1472 = ICMP Unreachable (Packet needs to be fragmented)

All Tunnels are ICMP Unreachables are always sent.

This is inherited from the interface the Tunnels are built on as far as I know. This is the same at both ends.

0 Helpful
Customers Also Viewed These Support Documents