Hi
If your routers are connected by Switches
You need to check if your switch allows jumbo frames
Increasing the layer 3 packet sizes on the routers does not make it
automatically right for Layer2
regs
Haakon Claassen
EMEA - IT Transport Services -WAN
Cisco Systems
De Kleetlaan 6b - Pegasus Park
B-1831 Diegem (Belgium)
-----Original Message-----
From: Thomas N. [mailto:[EMAIL PROTECTED]]
Sent: woensdag 2 oktober 2002 3:40
To: [EMAIL PROTECTED]
Subject: Re: VPN tunnel with IPSec over GRE [7:54634]
Thank you All for the confirmation! I used extended ping with DF bit
set as
Richarde mentioned and found out that the packet size that can fit into
the
tunnel without fragmentation is much less than 1500 bytes. I also went
over
couple white papers from Cisco website. They mentions about using "ip
tcp
adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery"
command. I tried to apply these commands on the routers at the 2
endpoints
of the tunnel but it still didn't work. I see myself running into the
confusion and have couple questions regarding:
- What's the difference between "ip tcp adjust-mss " and "ip mtu
" commands?
- Which one should I use? or both?
- Which and where I should apply these commands? on the tunnel
interfaces,
Ethernet segment, or on the Internet interface?
Below is my topology. Client machine needs to pass through the tunnel,
then
hit the Proxy Server for Internet access. Again, thank you All for the
HELP!!!
Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE
tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet
Thomas
""Richard Deal"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> It's probably an MTU problem.
>
> I have an IPSec connection being tunneled via GRE, which in turn, is
> tunneled by another IPSec connection. Don't ask why I'm doing this :-)
But
> we had to set the MTU down to 1320 to prevent fragmentation, and thus
> performance, issues.
>
> In your case, you might want to try using the extended ping with the
"no
> fragment" option to determine which MTU size will work in your
situation.
>
> Cheers!
>
> Richarde
> ""Thomas N."" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi All,
> >
> > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS
VPN
> (Cisco
> > 2600 routers). I could get the tunnel up and running between the
two
LANs
> > with IPSec over GRE so that I can run EIGRP. Data transfer between
2
LANs
> > across the tunnel looks OK, and all dynamic routes learned with
EIGRP.
> > However, a problem come up when I put a Proxy Server on the first
LAN
and
> > force Internet traffic from workstations from the second LAN to go
out
> with
> > this Proxy server. Workstations from the second LAN could browse
Internet
> > across the tunnel to reach the Proxy server then hit the Internet;
> however,
> > the performance is very poor (seem like browsing over a 56k modem).
I
am
> > thinking this may be because of fragmentation on the 2 routers. Is
there
> > any work around for this issue? If MTU size needs to be adjusted,
what
> > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel"
mode?
> > Again, thank you All for the help!
> >
> > Thomas N.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54695&t=54634
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
