Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5689
Views
10
Helpful
3
Replies

Need help with MTU issue (Ikev2 VPN tunnel)

Go to solution
broadleon
Level 1
Level 1

‎09-17-2018 09:26 AM - edited ‎03-08-2019 04:11 PM

Hi

 

Im having issues with microsoft server replication across site to site vpn using a pair of cisco 2951 routers, I have one server either end of the tunnel and whilst they can ping each other just fine, when it come to RPC Replication i can see the length of the packet  is 1514 

 

24482 2244.579587 10.150.240.101 10.150.236.2 TCP 1514 [TCP Retransmission] 49670 → 64485 [ACK] Seq=352 Ack=2861 Win=261888 Len=1460

 

I also believe it is an issue with MTU, when trying a ping from the windows server using a mtu of 1500.

 

C:\Users\Administrator>ping 10.150.236.2 -f -l 1500

Pinging 10.150.236.2 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

 

but a MTU of 

 

C:\Users\Administrator>ping 10.150.236.2 -f -l 1376

Pinging 10.150.236.2 with 1376 bytes of data:
Reply from 10.150.236.2: bytes=1376 time=16ms TTL=126
Reply from 10.150.236.2: bytes=1376 time=16ms TTL=126
Reply from 10.150.236.2: bytes=1376 time=16ms TTL=126

 

I have also seen the occasional  this message from the Cisco Router:

 

Sep 17 16:31:46.608 GMT: ICMP: dst (10.150.240.101) frag. needed and DF set unreachable sent to 10.150.236.2

 

As a novice Im not sure how to address the issue, I want the tunnel to handle the MTU

I also have ZBF in use but don't see the issue of replication failing between interfaces on the same router, so ruling out dcerpc.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andresfr
Cisco Employee
Cisco Employee

‎09-17-2018 10:00 AM

Hello Broadleon,

 

If you're adding overhead because your encapsulating with GRE, ESP or both (because of the VPN), then it's expected that the MTU will be less than the default value of 1500 bytes. For TCP communications, you also have to consider the TCP maximum segment size.

 

Please refer to the following documents for more details about the MTU, TCP MSS and VPN Overhead:

 

Analyzing TCP Options

http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html

 

Cisco GRE and IPSEC

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-cisco-router-gre-ipsec-tunnel-transport.html

 

Resolve IPv4 fragmentation

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-cisco-router-gre-ipsec-tunnel-transport.html

 

You might need to adjust the configuration on the router's tunnel interfaces as follows (or similar to this):

 

R1(config)# interface Tunnel0

R1(config-if)# ip address  <ip_address> <network_mask>

R1(config-if)# ip mtu 1400

R1(config-if)# ip tcp adjust-mss 1360

R1(config-if)# tunnel source w.x.y.z

R1(config-if)# tunnel destination w.x.y.z

 

I hope you find this information useful.

View solution in original post

3 Replies 3

Go to solution
andresfr
Cisco Employee
Cisco Employee

‎09-17-2018 10:00 AM

Hello Broadleon,

 

If you're adding overhead because your encapsulating with GRE, ESP or both (because of the VPN), then it's expected that the MTU will be less than the default value of 1500 bytes. For TCP communications, you also have to consider the TCP maximum segment size.

 

Please refer to the following documents for more details about the MTU, TCP MSS and VPN Overhead:

 

Analyzing TCP Options

http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html

 

Cisco GRE and IPSEC

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-cisco-router-gre-ipsec-tunnel-transport.html

 

Resolve IPv4 fragmentation

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-cisco-router-gre-ipsec-tunnel-transport.html

 

You might need to adjust the configuration on the router's tunnel interfaces as follows (or similar to this):

 

R1(config)# interface Tunnel0

R1(config-if)# ip address  <ip_address> <network_mask>

R1(config-if)# ip mtu 1400

R1(config-if)# ip tcp adjust-mss 1360

R1(config-if)# tunnel source w.x.y.z

R1(config-if)# tunnel destination w.x.y.z

 

I hope you find this information useful.

Go to solution
broadleon
Level 1
Level 1
In response to andresfr

‎09-17-2018 10:29 AM

Hi

I was missing "ip tcp adjust-mss 1360" on the tunnel interface, this has now resolved my issue..

 

Many Thanks

0 Helpful

Go to solution
andresfr
Cisco Employee
Cisco Employee
In response to broadleon

‎09-17-2018 12:36 PM

I'm glad to hear that!

Regards,
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card