RE: GRE over IPSEC VPN MTU issue.....

From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Mon Jul 30 2007 - 08:27:00 ART

• Next message: Scott Morris: "RE: Potential Issue Configuring BGP Cluster ID"
• Previous message: Con Spathas: "OT: 2960G Undersize frame errors"
• Maybe in reply to: Biggs, Jeff \(M/CIO/BIE\): "GRE over IPSEC VPN MTU issue....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm curious which IOS version corrected your MTU problems?

Rik

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Dave
Beattie
Sent: Tuesday, July 24, 2007 9:58 AM
To: Biggs, Jeff (M/CIO/BIE); ccielab@groupstudy.com
Subject: RE: GRE over IPSEC VPN MTU issue.....

I hit this exact issue using over 50 1800s over ADSL/SDSL/E1. In the end
Cisco got me to change the IOS version and it sorted it out. In the meantime
this solution was heavily Citrix based, so we adjusted the MTU on the
servers!

HTH

Dave

________________________________

From: nobody@groupstudy.com on behalf of Biggs, Jeff (M/CIO/BIE)
Sent: Tue 7/24/2007 2:39 PM
To: ccielab@groupstudy.com
Subject: GRE over IPSEC VPN MTU issue.....

We are testing a solution that we already have in place on a different
vendor, but testing with a new firewall set (Juniper Netscreens).
Anyway, we are running GRE over IPSEC for routing purposes over our VPN's
and for some reason with the new solution, the MTU is not negotiating down
(we are clearing the DF BIT, so PMTUD is not an issue
here) to the 1420 MTU I have set on the GRE Tunnels.

Also it seems that from one network, we have no issues RDP'ing or FTP'ing
but from another it fails. This seems like a rule base issue, but I don't
control the firewall, so I am "relying" on the firewall team to make sure is
it not.

Anyone have an ideas to test this. I know about the ip tcp mss-adjust
command, but the current solution doesn't require this, so I want to try and
avoid it if possible.

Anyone seen something like this before or have an ideas for direction?

Thanks,

Jeffrey Biggs

Sr. Network Engineer

M/CIO/BIE

CCNP, CCDA

240-646-5003

jbiggs@usaid.gov <mailto:jbiggs@usaid.gov>

This e-mail is intended for the addressee only. If you are not the intended
recipient, please be aware that the unauthorised use or disclosure of the
information it contains, or the unauthorised copying or re-transmission of
the e-mail are strictly prohibited. Such action may result in legal
proceedings. If the e-mail has been sent to you in error, please accept our
apologies, advise the sender as soon as possible and then delete the
message. Under the Freedom of Information Act 2000 / Data Protection Act
1998, the contents of this e-mail, whether it is marked confidential or
otherwise, may be disclosed.

• Next message: Scott Morris: "RE: Potential Issue Configuring BGP Cluster ID"
• Previous message: Con Spathas: "OT: 2960G Undersize frame errors"
• Maybe in reply to: Biggs, Jeff \(M/CIO/BIE\): "GRE over IPSEC VPN MTU issue....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:42 ART