Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
3
Replies

MTU issues over GRE DMVPN

craftedpacket
Level 1
Level 1

‎12-16-2013 01:42 PM - edited ‎02-21-2020 07:23 PM

I have a DMVPN setup using simple GRE and VRF's with one Hub and a few spokes.  At one client we are having MTU issues where we have had to manually change the MTU of the servers on the hub side and the clients on the spoke side to 1476 or lower.  I realize this is due to GRE overhead but I dont understand where the negotiation is failing and how to resolve it without manually changing MTU on all of the devices (some devices have no option to set MTU). 

I have read about writing a policy map to clear the DF bit and adjust the MTU size...is this the proper method?  I have also read about the tunnel path-mtu-discovery command but I dont have a test router handy and I am unsure if this command is on the tunnel by default.  Anyone have any experiance with GRE tunnels and possible MTU issues that could shed some light on this for me?  Below are some of my config if it helps.

Hub:

interface Tunnel1

ip vrf forwarding xxxxx

ip address x.x.x.x x.x.x.x

no ip redirects

ip mtu 1400

ip nhrp authentication dmvpn

ip nhrp map multicast dynamic

ip nhrp network-id XXX

delay 1000

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XXX

tunnel protection ipsec profile XXXX shared

Spoke:

interface Tunnel1

ip address x.x.x.x x.x.x.x

no ip redirects

ip mtu 1400

ip nhrp authentication dmvpn

ip nhrp map multicast x.x.x.x

ip nhrp map x.x.x.x x.x.x.x

ip nhrp network-id xxx

ip nhrp holdtime 300

ip nhrp nhs x.x.x.x

no ip split-horizon eigrp 2

delay 1000

tunnel source GigabitEthernet0

tunnel mode gre multipoint

tunnel key xxx

tunnel protection ipsec profile xxxxx

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎12-16-2013 03:10 PM

Take a look at using the following command to ensure the max segement size is <=1400. This would go on your tunnel interfaces.

ip tcp adjust-mss 1400

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Hope it helps.

0 Helpful

craftedpacket
Level 1
Level 1
In response to Collin Clark

‎12-17-2013 09:52 AM

Thanks collin,  I tried adding those commands on my tunnel interface last night but it did not resolve the issue.

0 Helpful

craftedpacket
Level 1
Level 1
In response to craftedpacket

‎12-17-2013 12:34 PM

TAC had me change the mss to 1360...guess well see if that changes anything.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents