Is this an encrypted GRE tunnel over the internet? The "recommended" MTU is 1400 bytes on both ends. Use the clear-dont-fragment-bit knob on the juniper side, and do "ip tcp mss-adjust 1360" on the Cisco side. Also on the Cisco side, ingress interfaces should have a route-map applied to clear the df bit of the packets similar to the following:
route-map clear-df-bit permit 10 set ip df 0 interface fa0/0 ip policy route-map clear-df-bit Note that "crypto ipsec clear df" on the Cisco side does not work for traffic passing through GRE tunnels, and you should not have this command enabled if you are doing encrypted GRE tunnels. Similarly on the Juniper side, under the ipsec-vpn rule you should not configure the clear-dont-fragment-bit option (I forget the exact knob name, but its there). The reason for this is that if you configure path-mtu-discovery these options will break it. As noted below, you may have to lower the MTU or the tcp-adjust depending on the ciphers you are using. As much as possible, you want to avoid fragmenting and reassembling GRE or IPsec packets. I would lower the MTU and tcp mss-adjust until you stop seeing GRE and IPSec fragmentation. There are some odd bugs related to the clear-dont-fragment-bit option on the Juniper end. If you are doing packet classification ingress on the router, all packets must be classified with a loss-priority of "low." Otherwise packets will get blackholed if the next-hop is over the GRE tunnel. I think this is fixed in 10.0S8, but not in 10.0R4. Probably is fixed in 10.2R3, but I haven't tested. ________________________________ From: "Linder, Todd" <t...@onenet.net> To: giulian...@uol.com.br; juniper-nsp@puck.nether.net Sent: Wed, November 3, 2010 9:15:02 AM Subject: Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO I recently had and a similar issue between a Juniper and a Cisco router, I resolved some of those symptoms by adjusting the tcp maximum segment size. You may have to play with this setting until it yields the best result. I use the "ip tcp adjust-mss 1300" and applied it to the interfaces used. This size seemed to yeild the best results for my scenario. Todd Linder Network Support Engineer OneNet Oklahoma's Telecommunications Network -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Giuliano Cardozo Medalha Sent: Wednesday, November 03, 2010 8:04 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp