Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3290
Views
11
Helpful
10
Replies

Tunnel IPSEC GRE problem

Go to solution
adelbano
Level 1
Level 1

‎07-12-2012 04:12 AM - edited ‎02-21-2020 06:11 PM

Hello cracks!

I've configured a tunnel ipsec between 2 sites with gre and ospf.

The tunnel is up successfully and routes in ospf are correct and I have ping to all sites, but http applications don't works fine.

The first thing I though that was a MTU problem.

I began to do pings to a remote host with DF bit increasing the packet size until receive the typical message it's necessary fragment

but when I did a ping -f with 1400 I have request time out.

What could be the problem? This is tunnel configuration.

The tunnel is established between 2 internet lines (10Mb and 30Mb)....

Thanks a lot a lot...

interface Tunnel0

description $FW_INSIDE$

ip address 10.29.0.9 255.255.255.252

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip ospf cost 150

tunnel source GigabitEthernet0/1

tunnel destination publicip

!

interface Tunnel1

ip address 10.29.0.5 255.255.255.252

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip ospf cost 150

tunnel source GigabitEthernet0/1

tunnel destination publicip

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to adelbano

‎07-12-2012 11:10 AM

Albert,

Saying "it" doesn't work is of no help :-)

As I said, it's time to take a sniffer trace ideally on both sides to compare what's going on, don't guess what you're fixing - diagnose it.

M.

View solution in original post

10 Replies 10

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-12-2012 05:21 AM

Try lowering the MSS on the tunnel interfaces to physical MTU - 40.  "ip tcp adjust-mss 1358" for example ;-)

0 Helpful

Go to solution
adelbano
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-12-2012 06:46 AM

It doesn't work.

physical interface MTU are 1500

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 10.29.0.10/30

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

I don't understand why tunnel mtu is 17916 and no 1358....

Albert.

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to adelbano

‎07-12-2012 07:49 AM

It's time to run sniffer trace.

You're looking at  L2 MTU not IP MTU.

And you should check the path MTU not really the setting.

You can try enabling path MTU discovery (and tunnel path MTU discovery), if you're running a recent version you might actually see decent results.

M.

0 Helpful

Go to solution
adelbano
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-12-2012 08:26 AM

Where path MTU discovery must be placed? Only on interface tunnel? I ve configured it and it doesn't work...

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to adelbano

‎07-12-2012 11:10 AM

Albert,

Saying "it" doesn't work is of no help :-)

As I said, it's time to take a sniffer trace ideally on both sides to compare what's going on, don't guess what you're fixing - diagnose it.

M.

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Marcin Latosiewicz

‎07-15-2012 03:26 PM

Albert,

Indeed we need to run a packet-sniffer to look for any abnormal behaviour when people try to access the HTTP sites.

You need to find if there is any fragmentation issues, TCP loss-packets, among others... Thats why Marcin suggested to collect that information and based on your findings, proceed accordingly.

Thanks.

0 Helpful

Go to solution
adelbano
Level 1
Level 1
In response to Javier Portuguez

‎07-16-2012 02:33 AM

Hello Marcin, Javier.

First of all, sorry for poor information I gave you to help me.

I thing that problem is solved, but I will need your help to close the issue...

The problem was that in tunnel interface Cisco Configuration Professional configured no ip unreachebles in all interfaces.

When I tried to do a ping for example 1410 bytes (without -f option), the ping didn't arrive to destination. It was like a filter...

Now, with ip unreacheables enabled all works fine, but I need to now why with no unreachebles the ping doesn't arrive to destination...if I had forced MTU in tunel interface...

And now the ping maximum data ping I can send through interface is 1392.

1392+ICMP(28)=1420 (IP MTU)

If packets needs too IPSEC header, the packet always will be fragmented...

I have no configured ip tcp adjust-mss 1380.

Do you thing it's necessary configure it?

Thanks a lot for your help!!!

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to adelbano

‎07-16-2012 05:33 AM

Dear Albert,

I am glad to hear that.

When it comes to GRE/IPsec we usually recommend 1380, please check the link below for a better understanding:

Avoiding IP Fragmentation: What TCP MSS Does and How It Works

http://tools.cisco.com/squish/94FF2

Thanks

Please rate any post you find helpful.

Go to solution
adelbano
Level 1
Level 1
In response to Javier Portuguez

‎07-17-2012 03:27 AM

Hello.

I've configured in the tunnel interface

ip mtu 1420

ip tcp adjust-mss 1380

tunnel path-mtu-discovery

Are necessary all these commands? If I configure manually mtu it's necessary the mtu discovery?

tcp adjust always is go with ip mtu?

These are my lasts questions about this issue...

Thanks a lot!

Albert.

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to adelbano

‎07-17-2012 05:42 AM

Dear Albert,

Since you already know what the allowed MTU size is then you can do the math and define it manually on the Router.

Indeed the TCP MSS must be proportional to the MTU size in order to avoid fragmentation.

Thanks.

Customers Also Viewed These Support Documents