Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
1
Replies

Active crypto means no Citrix

paulpamorgan
Level 1
Level 1

‎05-17-2011 05:06 AM

Hi all,

We run a hub&spoke network with dual GRE tunnels from each spoke site to seperate independant adsl routers at the hub.

IPsec is enabled on each tunnel with crypto maps and then QOS is enabled with pre-classify for voice traffic priority. We also have defined a class for Citrix traffic by identifying port1494 traffic out and anything bound for our citrix servers IPs.

Ok so the problem is that once the encryption comes up on the tunnels, the citrix programs wont connect. Take the crypto map off the tunnel and all works fine.

Here is the relevant config

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key **** address *.*.*.*

crypto isakmp key **** address *.*.*.*

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to hub1

set peer *.*.*.*

set transform-set ESP-3DES-SHA
match address 104
qos pre-classify
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to hub2

set peer *.*.*.*

set transform-set ESP-3DES-SHA
match address 105
qos pre-classify

policy-map QoS
class VoiceTraffic
    bandwidth 200
class CitrixTraffic
    bandwidth 100
class class-default
    fair-queue
policy-map Tun0-map
class class-default
    shape average 350000
  service-policy QoS

interface Tunnel0
bandwidth 350
ip address 172.20.235.2 255.255.255.0
ip mtu 1378
delay 55000
qos pre-classify
tunnel source Dialer2
tunnel destination *.*.*.*

tunnel path-mtu-discovery
crypto map SDM_CMAP_1
service-policy output Tun0-map
!
interface Tunnel1
ip address 172.21.235.2 255.255.255.0
ip mtu 1378
delay 125000
qos pre-classify
tunnel source Dialer2
tunnel destination *.*.*.*

tunnel path-mtu-discovery
crypto map SDM_CMAP_1

I deliberately weight EIGRP to favour Tun0 and have Tun1 as a failover. I was thinking of Route-mapping the Citrix traffic to Tun1 but would like to ask on here if anyone knows why its not working as is...

Any thoughts appreciated.

Paul

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎05-26-2011 01:34 AM

Hi Paul,

to know for sure we would have to get packet captures (i.e. "sniff" the traffic on the ctrix server for example, or ideally on both sides of the tunnel), however a blind guess is that with encryption the packets get too large.

Try configuring:

interface

  ip tcp adjust-mss 1300

and see if that helps. If it does, you can further tweak the value, i.e. increase it incrementally until it stops working to find the highest working value.

If the "ip mtu 1378" you have configured on the Tunnel interfaces is correct, then "ip tcp adjust-mss 1338" will probably be optimal (tunnel mtu minus 40 bytes for the IP and TCP headers).

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents