Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1219
Views
0
Helpful
4
Replies

Intermittent disconnection of webpages on GRE over IPSec tunnel connectivity

thiyagarajankalaiselvan
Level 1
Level 1

‎04-09-2013 10:38 PM - edited ‎03-07-2019 12:43 PM

Hi All,

I'm facing a strange issue on  accessing WAP pages with IPSEC over GRE tunnel    

we are able to ping the remote end IPs without any drops whereas the webpages are not getting loaded intermittently.

Can anybody help me to know will there be ayu issue with the IP Sec configuration that is causing the packets to be dropped intermittently?

Is there any IP Sec troubleshooting commands to troubleshoot furter?

Regards,

Thiyagu

Labels:
0 Helpful
4 Replies 4

Kristian Alexander Brown
Level 4
Level 4

‎04-10-2013 12:22 AM

Hi,

To me it seems like a MTU issue.

What is the "ip mtu" value on the tunnel interface?

Also, "ip tcp adjust-mss" could be tried with a value of 40 bytes lower than the ip mtu.

Regards

0 Helpful

Steve Fuller
Level 9
Level 9
In response to Kristian Alexander Brown

‎04-10-2013 01:10 AM

Hi,

I think Kristian is correct that the issue may be related to MTU. To check this you can use the ping utility with the packet size increased and the Don't Fragment bit set. This will result in the pings getting dropped once they've reached the maximum that can be transported.

With ping the maximum packet size you'll be able to send is 28-bytes less than the MTU. This accounts for the 8-byte ICMP header and the 20-byte IP header. If we take the simple example of a LAN where the MTU is typically 1500-bytes, you would expect to see a ping response when sending 1472-byte pings, and failures when sending 1473-byte pings. The following are the options to use with ping to increase packet size and set the DF bit for Windows, Solaris and Linux:

Windows: ping -f -l

Solaris: ping -s

Linux: ping -M do -s

On the WAN when sending traffic over a an IPSec GRE encrypted tunnel it will be a little bit trickier to calculate the maximum ICMP datagram size because of the different IPSec transforms available, whether you're doing both encryption and authentication etc.

I would start with testing with 1442-byte IP packets (1414-byte ICMP datagram) and then increasing if the ping is successful.

The calculations for a 1442-byte and 1443-byte packet encrypted with AES-256, using no authentication and then sent over a GRE tunnel are as follows:

1442-byte packet = 1492-bytes after AES encryption and transported across a GRE tunnel

24 bytes GRE header

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

16 byte IV (IOS ESP-AES)

0 byte pad (ESP-AES 128 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)


1442-byte packet = 1492-bytes after AES encryption and transported across a GRE tunnel

24 bytes GRE header

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

16 byte IV (IOS ESP-AES)

15 byte pad (ESP-AES 128 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

Regards

0 Helpful

thiyagarajankalaiselvan
Level 1
Level 1
In response to Steve Fuller

‎04-10-2013 08:26 PM

#ping 4.2.2.2 source vlan 100 repeat 10 df-bit size 1442

Type escape sequence to abort.
Sending 10, 1442-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.59.100.1
Packet sent with the DF bit set
MMMMMMMMMM
Success rate is 0 percent (0/10)

I'm getting packet drop if I'm pinging with 1442 bytes packet size.

please help me to know

1- what is the maximum size of data we can transfer over GRE tunnel?

2- I'm unable to excute the command "ip tcp adjust-mss", due to IOS  version incompatiblity. Is there any other way we can adjust mtu size over the tunnel?

0 Helpful

Steve Fuller
Level 9
Level 9
In response to thiyagarajankalaiselvan

‎04-10-2013 11:56 PM

Hi,

If you run the ping sweep command and set the verbose option you will see the largest ping packet that is sent.

In the following I've set the minimum ping sweep size as 1410-bytes and the maximum as 1430-bytes. The verbose option is set and we can see that 1420-bytes is the maximum packet size that is successful.

ocs1001-1#ping

Protocol [ip]:

Target IP address: 192.168.2.37

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.2.38

Type of service [0]:

Set DF bit in IP header? [no]: y

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]: verbose

Loose, Strict, Record, Timestamp, Verbose[V]:

Sweep range of sizes [n]: y

Sweep min size [36]: 1410

Sweep max size [18024]: 1430

Sweep interval [1]:

Type escape sequence to abort.

Sending 105, [1410..1430]-byte ICMP Echos to 192.168.2.37, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.38

Packet sent with the DF bit set

Reply to request 0 (1 ms) (size 1410)

Reply to request 1 (1 ms) (size 1411)

Reply to request 2 (1 ms) (size 1412)

Reply to request 3 (2 ms) (size 1413)

Reply to request 4 (1 ms) (size 1414)

Reply to request 5 (2 ms) (size 1415)

Reply to request 6 (1 ms) (size 1416)

Reply to request 7 (2 ms) (size 1417)

Reply to request 8 (1 ms) (size 1418)

Reply to request 9 (2 ms) (size 1419)

Reply to request 10 (1 ms) (size 1420)

Request 11 timed out (size 1421)

Request 12 timed out (size 1422)

Request 13 timed out (size 1423)

[..]

Once you know that number, if you set the ip mtu on the tunnel interface, the Path MTU Discovery should work. Take a read through the white paper Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC for more details.

Regards

0 Helpful
Customers Also Viewed These Support Documents