Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
5
Replies

ASA-IPSEC L2L with GRE Tunnel doesn't work

ksimsimon
Level 1
Level 1

‎08-14-2008 01:28 AM - edited ‎02-21-2020 03:53 PM

Hi,

we have a asa-asa connection between 2 buildings with ipsec and a gre tunnel between them because we use eigrp for this network.the tunnel is ok works perfect but i get syslog messages like :

Aug 13 17:04:54 FWH50031 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:134.81.191.233 dst inside:134.81.227.78 (type 3, code 4) on outside interface. Original IP payload: <unknown>.

Aug 13 17:05:04 FWH50031 %ASA-6-602101: PMTU-D packet 1462 bytes greater than effective mtu 1434, dest_addr=134.81.191.178, src_addr=134.81.227.78, prot=GRE

and we don't find anything about on cisco to adjust the PMTU-D size on the GRE Tunnel.

(net)-(tunnel-gre)--(asa)--airconnectinon--(asa)--(tunnel-gre)-(net)

Labels:
0 Helpful
5 Replies 5

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-14-2008 02:07 AM

Try this on both routers:

interface tun X

ip mtu 1400

ip tcp adjust-mss 1360

You have to set this on both ends.

Regards

Farrukh

0 Helpful

ksimsimon
Level 1
Level 1
In response to Farrukh Haroon

‎08-14-2008 02:19 AM

Hello Farrukh,

thanks for the fast response.

the command ip tcp adjust-mss 1360 does't work on both routers. its a 6500 sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)

srs282k3(config)#int tunnel 0

srs282k3(config-if)#ip tcp ?

compression-connections Maximum number of compressed connections

header-compression Enable TCP header compression

srs282k3(config-if)#ip tcp

i have now configured on both sides

srs282k3(config-if)#ip mtu 1416

srs282k3(config-if)#tunnel path-mtu-discovery

srs282k3(config-if)#

and start the next try to test this.

regards

Klaus

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to ksimsimon

‎08-14-2008 03:27 AM

This command was introduced in 12.2(33)SXH I think.

Make sure you have PMTUD enabled through the firewall (particularly the packet-too-big ICMP type).

Regards

Farrukh

0 Helpful

ksimsimon
Level 1
Level 1
In response to Farrukh Haroon

‎08-14-2008 03:32 AM

Hello Farrukh,

i have a standard config for the asa,s what means this packet too big ICMP Type?

do you hav a example for this ?

thx

Klaus

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to ksimsimon

‎08-14-2008 04:08 AM

It is just an ICMP type like 'echo' 'echo-reply'

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents