RE: VPN mtu problem

From: Kelly, Russell G (russell.kelly@uk.bp.com)
Date: Mon Jul 25 2005 - 17:02:07 GMT-3

• Next message: Chris Lewis \(chrlewis\): "RE: Formulas for calculating QOS Values"
• Previous message: gladston@br.ibm.com: "BC and TC maximum value"
• Maybe in reply to: buesink@fma.nl: "VPN mtu problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 On the 6500 you can also add the following command to the interface ip
tcp adjust-mss <mss>

As well as the route map interface configuration on the 3750's:

 ip policy route-map clear-df

route-map clear-df permit 10
 match ip address 101
 set ip df 0

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kumar, Manoj
Sent: 25 July 2005 19:32
To: buesink@fma.nl; ccielab@groupstudy.com
Subject: RE: VPN mtu problem

Hi

The below URL, kind of, explains a similar issue, Please check it out

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a
0080093f1f.shtml

It looks to me an MTU problme as you are receive type 3, code 4 message
(destination unreachable, fragmentation required).

Regards
Manoj

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
buesink@fma.nl
Sent: Monday, July 25, 2005 8:20 PM
To: ccielab@groupstudy.com
Subject: VPN mtu problem

Hi Guys,

I have hosts in a vlan on the 6500 (mtu 1500) and I have hosts on the
2800.
They are connected with a tunnel, over this tunnel I'm running ipsec.
When copying LARGE files I run into troubles (slow traffic).

I'm sure the ICMP is permitted on all directions (PMTUD)

I think the below URL explains a similar issue, check it out:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a
0080093f1f.shtml

If you are receiving code 3, type 4 that means, Destination Unreachable;
Fragmentation Needed and DF set. So that, almost points to an MTU
problem .

Regards,
manoj
 
Could you please help me on this one:

hosts <--6500 --3750--(internet)--3750--2800--> hosts

tunnel/gre ------------------------tunnel/gre

incoming interface mtu on 6500 = 1500 (where hosts reside) incoming
interface mtu on 2800 = 1500 (where hosts reside)

Tunnel interfaces on 6500 & 2000 are using "ip mtu 1440", since I use
"mode transport" with the tranform statement (crypto) for ipsec.
And cisco recommends this "tranport mode" since we are running ipsec
over tunnel

When I debug icmp, I see ICMP redirects code 3 type 4 (DF bit set), from
hosts on the 2800 sending to the 6500 hosts.. I think this is normal,
because their doing PMTUD.

But large file copies (20 MB = 30 minutes) are having problems over this
link, NOTE this link is 1 Gigabit (from 3750 to 3750 = internet
connection).

Could this be MTU related, or am I searching in the wrong direction?

• Next message: Chris Lewis \(chrlewis\): "RE: Formulas for calculating QOS Values"
• Previous message: gladston@br.ibm.com: "BC and TC maximum value"
• Maybe in reply to: buesink@fma.nl: "VPN mtu problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3