> One other thought: Keep in mind that the added 24-byte GRE header has consequences for both sides of the session. If either the client or the server tries to send 1500-byte packets, the additional GRE header may result in a need for fragmentation, which can't happen if the DF bit is set. So your coworkers may be telling you that the ICMP dest unreachable (frag needed but DF bit set) messages aren't getting filtered, but they may be only looking at it from the point of view of just the client or just the server. If worse comes to worst, you can manually decrease the MTU at the clients and the servers. Also, if your tunnel is going over links that support large MTUs (> than 1524), you can increase the tunnel MTU. (That isn't usually the case, though.) One last thought, make sure you aren't barking up the wrong tree altogether. Perhaps the fact that you aren't seeing ICMP dest unreachable messages is a good thing. That part is working. Something else is broken. Do you use encryption, IPSec, or anything else fragile on that tunnel?? > Ok, that's enough rambling. &;-)< I agree with Priscilla. It sounds as though you may have a path MTU issue at stake here. One way to test this is to do some MTU probes. Since you didn't mention what type of client you are using, I will assume it is some form of a Winthing. If you go to a DOS box and type "ping", you will notice there are a lot of switches/arguments that will work with ping. You might want to turn on a few of these and try to ping a far end host on the other side of your tunnel. For example, try this: ping -f -l 500 if that works, try a higher value: ping -f -l 1000 Keep going up in buffer (datagram) size until the need to fragment exists, but the capability to do so is turned off. You will know this happens when the pings start to fail. Once you hit the exact number, that will tell you your path MTU. That may be the MTU that you want to set when sending traffic down the tunnel. Priscilla is also correct that ICMP return messages may be blocked by your firewall (or access lists). HTH, Paul Werner ________________________________________________ Get your own "800" number - Free Free voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
