RE: VPN mtu problem

From: Kumar, Manoj (manoj.kumar@citigroup.com)
Date: Mon Jul 25 2005 - 15:31:56 GMT-3

• Next message: noel.thompson@datacraft.co.nz: "RE: Frame Question"
• Previous message: Kumar, Manoj: "RE: VPN mtu problem"
• Maybe in reply to: buesink@fma.nl: "VPN mtu problem"
• Next in thread: Kelly, Russell G: "RE: VPN mtu problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi

The below URL, kind of, explains a similar issue, Please check it out

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

It looks to me an MTU problme as you are receive type 3, code 4 message (destination unreachable, fragmentation required).

Regards
Manoj

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
buesink@fma.nl
Sent: Monday, July 25, 2005 8:20 PM
To: ccielab@groupstudy.com
Subject: VPN mtu problem

Hi Guys,

I have hosts in a vlan on the 6500 (mtu 1500) and I have hosts on the 2800.
They are connected with a tunnel, over this tunnel I'm running ipsec.
When copying LARGE files I run into troubles (slow traffic).

I'm sure the ICMP is permitted on all directions (PMTUD)

I think the below URL explains a similar issue, check it out:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

If you are receiving code 3, type 4 that means, Destination Unreachable; Fragmentation Needed and DF set. So that, almost points to an MTU problem .

Regards,
manoj
 
Could you please help me on this one:

hosts <--6500 --3750--(internet)--3750--2800--> hosts

tunnel/gre ------------------------tunnel/gre

incoming interface mtu on 6500 = 1500 (where hosts reside)
incoming interface mtu on 2800 = 1500 (where hosts reside)

Tunnel interfaces on 6500 & 2000 are using "ip mtu 1440", since
I use "mode transport" with the tranform statement (crypto) for ipsec.
And cisco recommends this "tranport mode" since we are running ipsec over tunnel

When I debug icmp, I see ICMP redirects code 3 type 4 (DF bit set), from hosts on the 2800 sending to the 6500 hosts.. I think this is normal, because their doing PMTUD.

But large file copies (20 MB = 30 minutes) are having problems over this link, NOTE this link is 1 Gigabit (from 3750 to 3750 = internet connection).

Could this be MTU related, or am I searching in the wrong direction?

• Next message: noel.thompson@datacraft.co.nz: "RE: Frame Question"
• Previous message: Kumar, Manoj: "RE: VPN mtu problem"
• Maybe in reply to: buesink@fma.nl: "VPN mtu problem"
• Next in thread: Kelly, Russell G: "RE: VPN mtu problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3