09-17-2018 09:26 AM - edited 03-08-2019 04:11 PM
Hi
Im having issues with microsoft server replication across site to site vpn using a pair of cisco 2951 routers, I have one server either end of the tunnel and whilst they can ping each other just fine, when it come to RPC Replication i can see the length of the packet is 1514
24482 2244.579587 10.150.240.101 10.150.236.2 TCP 1514 [TCP Retransmission] 49670 → 64485 [ACK] Seq=352 Ack=2861 Win=261888 Len=1460
I also believe it is an issue with MTU, when trying a ping from the windows server using a mtu of 1500.
C:\Users\Administrator>ping 10.150.236.2 -f -l 1500
Pinging 10.150.236.2 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
but a MTU of
C:\Users\Administrator>ping 10.150.236.2 -f -l 1376
Pinging 10.150.236.2 with 1376 bytes of data:
Reply from 10.150.236.2: bytes=1376 time=16ms TTL=126
Reply from 10.150.236.2: bytes=1376 time=16ms TTL=126
Reply from 10.150.236.2: bytes=1376 time=16ms TTL=126
I have also seen the occasional this message from the Cisco Router:
Sep 17 16:31:46.608 GMT: ICMP: dst (10.150.240.101) frag. needed and DF set unreachable sent to 10.150.236.2
As a novice Im not sure how to address the issue, I want the tunnel to handle the MTU
I also have ZBF in use but don't see the issue of replication failing between interfaces on the same router, so ruling out dcerpc.
Solved! Go to Solution.
09-17-2018 10:00 AM
Hello Broadleon,
If you're adding overhead because your encapsulating with GRE, ESP or both (because of the VPN), then it's expected that the MTU will be less than the default value of 1500 bytes. For TCP communications, you also have to consider the TCP maximum segment size.
Please refer to the following documents for more details about the MTU, TCP MSS and VPN Overhead:
Analyzing TCP Options
http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html
Cisco GRE and IPSEC
Resolve IPv4 fragmentation
You might need to adjust the configuration on the router's tunnel interfaces as follows (or similar to this):
R1(config)# interface Tunnel0
R1(config-if)# ip address <ip_address> <network_mask>
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source w.x.y.z
R1(config-if)# tunnel destination w.x.y.z
I hope you find this information useful.
09-17-2018 10:00 AM
Hello Broadleon,
If you're adding overhead because your encapsulating with GRE, ESP or both (because of the VPN), then it's expected that the MTU will be less than the default value of 1500 bytes. For TCP communications, you also have to consider the TCP maximum segment size.
Please refer to the following documents for more details about the MTU, TCP MSS and VPN Overhead:
Analyzing TCP Options
http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html
Cisco GRE and IPSEC
Resolve IPv4 fragmentation
You might need to adjust the configuration on the router's tunnel interfaces as follows (or similar to this):
R1(config)# interface Tunnel0
R1(config-if)# ip address <ip_address> <network_mask>
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source w.x.y.z
R1(config-if)# tunnel destination w.x.y.z
I hope you find this information useful.
09-17-2018 10:29 AM
Hi
I was missing "ip tcp adjust-mss 1360" on the tunnel interface, this has now resolved my issue..
Many Thanks
09-17-2018 12:36 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: