VPN tunnel with IPSec over GRE [7:54634]
Hi All, I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN (Cisco 2600 routers). I could get the tunnel up and running between the two LANs with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs across the tunnel looks OK, and all dynamic routes learned with EIGRP. However, a problem come up when I put a Proxy Server on the first LAN and force Internet traffic from workstations from the second LAN to go out with this Proxy server. Workstations from the second LAN could browse Internet across the tunnel to reach the Proxy server then hit the Internet; however, the performance is very poor (seem like browsing over a 56k modem). I am thinking this may be because of fragmentation on the 2 routers. Is there any work around for this issue? If MTU size needs to be adjusted, what would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? Again, thank you All for the help! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54634&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
It's probably an MTU problem. I have an IPSec connection being tunneled via GRE, which in turn, is tunneled by another IPSec connection. Don't ask why I'm doing this :-) But we had to set the MTU down to 1320 to prevent fragmentation, and thus performance, issues. In your case, you might want to try using the extended ping with the "no fragment" option to determine which MTU size will work in your situation. Cheers! Richarde ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN (Cisco > 2600 routers). I could get the tunnel up and running between the two LANs > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > However, a problem come up when I put a Proxy Server on the first LAN and > force Internet traffic from workstations from the second LAN to go out with > this Proxy server. Workstations from the second LAN could browse Internet > across the tunnel to reach the Proxy server then hit the Internet; however, > the performance is very poor (seem like browsing over a 56k modem). I am > thinking this may be because of fragmentation on the 2 routers. Is there > any work around for this issue? If MTU size needs to be adjusted, what > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > Again, thank you All for the help! > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54639&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
Hi, I think the following URL could help: http://www.cisco.com/warp/public/105/56.html Regards, Alaerte "Richard Deal" @groupstudy.com em 01/10/2002 13:26:29 Favor responder a "Richard Deal" Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto: Re: VPN tunnel with IPSec over GRE [7:54634] It's probably an MTU problem. I have an IPSec connection being tunneled via GRE, which in turn, is tunneled by another IPSec connection. Don't ask why I'm doing this :-) But we had to set the MTU down to 1320 to prevent fragmentation, and thus performance, issues. In your case, you might want to try using the extended ping with the "no fragment" option to determine which MTU size will work in your situation. Cheers! Richarde ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN (Cisco > 2600 routers). I could get the tunnel up and running between the two LANs > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > However, a problem come up when I put a Proxy Server on the first LAN and > force Internet traffic from workstations from the second LAN to go out with > this Proxy server. Workstations from the second LAN could browse Internet > across the tunnel to reach the Proxy server then hit the Internet; however, > the performance is very poor (seem like browsing over a 56k modem). I am > thinking this may be because of fragmentation on the 2 routers. Is there > any work around for this issue? If MTU size needs to be adjusted, what > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > Again, thank you All for the help! > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54646&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
some other folks had some good things to say in response. I just wanted to add an experience I had that I was pretty much able to verify in my lab as well as on a customer network. Customer ran IPX on their network. For particular locations, the cost of frame relay was hideous, so we proposed a VPN. We tunneled IPX through a GRE tunnel with IPSEC 3DES. Connectivity was fine. I saw all routes. We could ping the routers throughout the network ( IP was enabled on all routers for remote management ) I saw all IP routes and all IPX routes. IPX pings and IP pings router to router worked fine. But the customer workstations could not log on to the IPX servers, let alone do any work. Drove me nuts. We had TAC cases open, we had some vendor involvement for Novell and for PCAnywhere, which the customer used to distribute their application. I believe I even had a thread going here on the issue. When I did some testing in my home lab, mimicking the customer network, I found a number of problems when I would do IPX and IP pings using a 1500 byte packet, but the problems disappeared when I used a 1499 byte packet size. Go figure. I also know that using my employer's VPN ( Cisco VPN client connecting to a CVPN box ) that there was a problem with a particular application ( it would not work over the VPN, but worked fine when I was in the office ) that was solved by reducing the MTU for the VPN connection ( setting on the Cisco VPN client software ) from the default to about 600 bytes. So, whether it is logical or not, it would seem that connections over IPSEC tunnels can be positively or adversely effected by MTU size. There is probably a good reason for this. Maybe counting on my fingers, all the headers, payloads, etc would yield an answer. But MTU definitely can contribute to problems over IPSEC. Chuck -- www.chuckslongroad.info like my web site? take the survey! ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN (Cisco > 2600 routers). I could get the tunnel up and running between the two LANs > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > However, a problem come up when I put a Proxy Server on the first LAN and > force Internet traffic from workstations from the second LAN to go out with > this Proxy server. Workstations from the second LAN could browse Internet > across the tunnel to reach the Proxy server then hit the Internet; however, > the performance is very poor (seem like browsing over a 56k modem). I am > thinking this may be because of fragmentation on the 2 routers. Is there > any work around for this issue? If MTU size needs to be adjusted, what > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > Again, thank you All for the help! > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54666&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
Everybody, I would have to agree with Chuck. I work on TAC for there VPN support and deal with these issues everyday. If the tunnel establishes and the traffic does not pass then look at the MTU. MTU can cause a lot of problems Thanks, Robert Raver Cisco Systems Inc. [EMAIL PROTECTED] - Original Message - From: "Chuck's Long Road" To: Sent: Tuesday, October 01, 2002 3:21 PM Subject: Re: VPN tunnel with IPSec over GRE [7:54634] > some other folks had some good things to say in response. I just wanted to > add an experience I had that I was pretty much able to verify in my lab as > well as on a customer network. > > Customer ran IPX on their network. For particular locations, the cost of > frame relay was hideous, so we proposed a VPN. We tunneled IPX through a GRE > tunnel with IPSEC 3DES. Connectivity was fine. I saw all routes. We could > ping the routers throughout the network ( IP was enabled on all routers for > remote management ) I saw all IP routes and all IPX routes. IPX pings and IP > pings router to router worked fine. > > But the customer workstations could not log on to the IPX servers, let alone > do any work. > > Drove me nuts. We had TAC cases open, we had some vendor involvement for > Novell and for PCAnywhere, which the customer used to distribute their > application. I believe I even had a thread going here on the issue. > > When I did some testing in my home lab, mimicking the customer network, I > found a number of problems when I would do IPX and IP pings using a 1500 > byte packet, but the problems disappeared when I used a 1499 byte packet > size. Go figure. > > I also know that using my employer's VPN ( Cisco VPN client connecting to a > CVPN box ) that there was a problem with a particular application ( it would > not work over the VPN, but worked fine when I was in the office ) that was > solved by reducing the MTU for the VPN connection ( setting on the Cisco VPN > client software ) from the default to about 600 bytes. > > So, whether it is logical or not, it would seem that connections over IPSEC > tunnels can be positively or adversely effected by MTU size. > > There is probably a good reason for this. Maybe counting on my fingers, all > the headers, payloads, etc would yield an answer. > > But MTU definitely can contribute to problems over IPSEC. > > > Chuck > -- > > www.chuckslongroad.info > like my web site? > take the survey! > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > (Cisco > > 2600 routers). I could get the tunnel up and running between the two LANs > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > However, a problem come up when I put a Proxy Server on the first LAN and > > force Internet traffic from workstations from the second LAN to go out > with > > this Proxy server. Workstations from the second LAN could browse Internet > > across the tunnel to reach the Proxy server then hit the Internet; > however, > > the performance is very poor (seem like browsing over a 56k modem). I am > > thinking this may be because of fragmentation on the 2 routers. Is there > > any work around for this issue? If MTU size needs to be adjusted, what > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > Again, thank you All for the help! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54670&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
I too have seen these issues with VPN before, but unfortunately changing the MTU did not help for me. Robert Raver wrote: > > Everybody, > > I would have to agree with Chuck. I work on TAC for there VPN > support and > deal with these issues everyday. If the tunnel establishes and > the traffic > does not pass then look at the MTU. MTU can cause a lot of > problems > > Thanks, > Robert Raver > Cisco Systems Inc. > [EMAIL PROTECTED] > > > > > - Original Message - > From: "Chuck's Long Road" > To: > Sent: Tuesday, October 01, 2002 3:21 PM > Subject: Re: VPN tunnel with IPSec over GRE [7:54634] > > > > some other folks had some good things to say in response. I > just wanted to > > add an experience I had that I was pretty much able to verify > in my lab as > > well as on a customer network. > > > > Customer ran IPX on their network. For particular locations, > the cost of > > frame relay was hideous, so we proposed a VPN. We tunneled > IPX through a > GRE > > tunnel with IPSEC 3DES. Connectivity was fine. I saw all > routes. We could > > ping the routers throughout the network ( IP was enabled on > all routers > for > > remote management ) I saw all IP routes and all IPX routes. > IPX pings and > IP > > pings router to router worked fine. > > > > But the customer workstations could not log on to the IPX > servers, let > alone > > do any work. > > > > Drove me nuts. We had TAC cases open, we had some vendor > involvement for > > Novell and for PCAnywhere, which the customer used to > distribute their > > application. I believe I even had a thread going here on the > issue. > > > > When I did some testing in my home lab, mimicking the > customer network, I > > found a number of problems when I would do IPX and IP pings > using a 1500 > > byte packet, but the problems disappeared when I used a 1499 > byte packet > > size. Go figure. > > > > I also know that using my employer's VPN ( Cisco VPN client > connecting to > a > > CVPN box ) that there was a problem with a particular > application ( it > would > > not work over the VPN, but worked fine when I was in the > office ) that was > > solved by reducing the MTU for the VPN connection ( setting > on the Cisco > VPN > > client software ) from the default to about 600 bytes. > > > > So, whether it is logical or not, it would seem that > connections over > IPSEC > > tunnels can be positively or adversely effected by MTU size. > > > > There is probably a good reason for this. Maybe counting on > my fingers, > all > > the headers, payloads, etc would yield an answer. > > > > But MTU definitely can contribute to problems over IPSEC. > > > > > > Chuck > > -- > > > > www.chuckslongroad.info > > like my web site? > > take the survey! > > > > > > > > ""Thomas N."" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi All, > > > > > > I am setting up a site-to-site VPN between 2 LANs using > Cisco IOS VPN > > (Cisco > > > 2600 routers). I could get the tunnel up and running > between the two > LANs > > > with IPSec over GRE so that I can run EIGRP. Data transfer > between 2 > LANs > > > across the tunnel looks OK, and all dynamic routes learned > with EIGRP. > > > However, a problem come up when I put a Proxy Server on the > first LAN > and > > > force Internet traffic from workstations from the second > LAN to go out > > with > > > this Proxy server. Workstations from the second LAN could > browse > Internet > > > across the tunnel to reach the Proxy server then hit the > Internet; > > however, > > > the performance is very poor (seem like browsing over a 56k > modem). I > am > > > thinking this may be because of fragmentation on the 2 > routers. Is > there > > > any work around for this issue? If MTU size needs to be > adjusted, what > > > would be the ideal MTU size for IPSec over GRE tunnel in > "tunnel" mode? > > > Again, thank you All for the help! > > > > > > Thomas N. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54671&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
Thank you All for the confirmation! I used extended ping with DF bit set as Richarde mentioned and found out that the packet size that can fit into the tunnel without fragmentation is much less than 1500 bytes. I also went over couple white papers from Cisco website. They mentions about using "ip tcp adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery" command. I tried to apply these commands on the routers at the 2 endpoints of the tunnel but it still didn't work. I see myself running into the confusion and have couple questions regarding: - What's the difference between "ip tcp adjust-mss " and "ip mtu " commands? - Which one should I use? or both? - Which and where I should apply these commands? on the tunnel interfaces, Ethernet segment, or on the Internet interface? Below is my topology. Client machine needs to pass through the tunnel, then hit the Proxy Server for Internet access. Again, thank you All for the HELP!!! Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet Thomas ""Richard Deal"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's probably an MTU problem. > > I have an IPSec connection being tunneled via GRE, which in turn, is > tunneled by another IPSec connection. Don't ask why I'm doing this :-) But > we had to set the MTU down to 1320 to prevent fragmentation, and thus > performance, issues. > > In your case, you might want to try using the extended ping with the "no > fragment" option to determine which MTU size will work in your situation. > > Cheers! > > Richarde > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > (Cisco > > 2600 routers). I could get the tunnel up and running between the two LANs > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > However, a problem come up when I put a Proxy Server on the first LAN and > > force Internet traffic from workstations from the second LAN to go out > with > > this Proxy server. Workstations from the second LAN could browse Internet > > across the tunnel to reach the Proxy server then hit the Internet; > however, > > the performance is very poor (seem like browsing over a 56k modem). I am > > thinking this may be because of fragmentation on the 2 routers. Is there > > any work around for this issue? If MTU size needs to be adjusted, what > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > Again, thank you All for the help! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54686&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN tunnel with IPSec over GRE [7:54634]
Hi If your routers are connected by Switches You need to check if your switch allows jumbo frames Increasing the layer 3 packet sizes on the routers does not make it automatically right for Layer2 regs Haakon Claassen EMEA - IT Transport Services -WAN Cisco Systems De Kleetlaan 6b - Pegasus Park B-1831 Diegem (Belgium) -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: woensdag 2 oktober 2002 3:40 To: [EMAIL PROTECTED] Subject: Re: VPN tunnel with IPSec over GRE [7:54634] Thank you All for the confirmation! I used extended ping with DF bit set as Richarde mentioned and found out that the packet size that can fit into the tunnel without fragmentation is much less than 1500 bytes. I also went over couple white papers from Cisco website. They mentions about using "ip tcp adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery" command. I tried to apply these commands on the routers at the 2 endpoints of the tunnel but it still didn't work. I see myself running into the confusion and have couple questions regarding: - What's the difference between "ip tcp adjust-mss " and "ip mtu " commands? - Which one should I use? or both? - Which and where I should apply these commands? on the tunnel interfaces, Ethernet segment, or on the Internet interface? Below is my topology. Client machine needs to pass through the tunnel, then hit the Proxy Server for Internet access. Again, thank you All for the HELP!!! Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet Thomas ""Richard Deal"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's probably an MTU problem. > > I have an IPSec connection being tunneled via GRE, which in turn, is > tunneled by another IPSec connection. Don't ask why I'm doing this :-) But > we had to set the MTU down to 1320 to prevent fragmentation, and thus > performance, issues. > > In your case, you might want to try using the extended ping with the "no > fragment" option to determine which MTU size will work in your situation. > > Cheers! > > Richarde > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > (Cisco > > 2600 routers). I could get the tunnel up and running between the two LANs > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > However, a problem come up when I put a Proxy Server on the first LAN and > > force Internet traffic from workstations from the second LAN to go out > with > > this Proxy server. Workstations from the second LAN could browse Internet > > across the tunnel to reach the Proxy server then hit the Internet; > however, > > the performance is very poor (seem like browsing over a 56k modem). I am > > thinking this may be because of fragmentation on the 2 routers. Is there > > any work around for this issue? If MTU size needs to be adjusted, what > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > Again, thank you All for the help! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54695&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
What kind of Proxy server is it? Hopefully UNIX so you can do a tcpdump to see what is actually getting to it. I'd suggest hooking up some packet sniffers in differernt places to see what is getting where and you'll be able to narrow down the problem. ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thank you All for the confirmation! I used extended ping with DF bit set as > Richarde mentioned and found out that the packet size that can fit into the > tunnel without fragmentation is much less than 1500 bytes. I also went over > couple white papers from Cisco website. They mentions about using "ip tcp > adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery" > command. I tried to apply these commands on the routers at the 2 endpoints > of the tunnel but it still didn't work. I see myself running into the > confusion and have couple questions regarding: > > - What's the difference between "ip tcp adjust-mss " and "ip mtu > " commands? > - Which one should I use? or both? > - Which and where I should apply these commands? on the tunnel interfaces, > Ethernet segment, or on the Internet interface? > > Below is my topology. Client machine needs to pass through the tunnel, then > hit the Proxy Server for Internet access. Again, thank you All for the > HELP!!! > > > Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE > tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet > > > > Thomas > > > > ""Richard Deal"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > It's probably an MTU problem. > > > > I have an IPSec connection being tunneled via GRE, which in turn, is > > tunneled by another IPSec connection. Don't ask why I'm doing this :-) But > > we had to set the MTU down to 1320 to prevent fragmentation, and thus > > performance, issues. > > > > In your case, you might want to try using the extended ping with the "no > > fragment" option to determine which MTU size will work in your situation. > > > > Cheers! > > > > Richarde > > ""Thomas N."" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi All, > > > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > > (Cisco > > > 2600 routers). I could get the tunnel up and running between the two > LANs > > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 > LANs > > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > > However, a problem come up when I put a Proxy Server on the first LAN > and > > > force Internet traffic from workstations from the second LAN to go out > > with > > > this Proxy server. Workstations from the second LAN could browse > Internet > > > across the tunnel to reach the Proxy server then hit the Internet; > > however, > > > the performance is very poor (seem like browsing over a 56k modem). I > am > > > thinking this may be because of fragmentation on the 2 routers. Is > there > > > any work around for this issue? If MTU size needs to be adjusted, what > > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > > Again, thank you All for the help! > > > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54736&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
We have Ms. Proxy Server 2.0 Thomas. ""sam sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > What kind of Proxy server is it? Hopefully UNIX so you can do a tcpdump to > see what is actually getting to it. I'd suggest hooking up some packet > sniffers in differernt places to see what is getting where and you'll be > able to narrow down the problem. > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Thank you All for the confirmation! I used extended ping with DF bit set > as > > Richarde mentioned and found out that the packet size that can fit into > the > > tunnel without fragmentation is much less than 1500 bytes. I also went > over > > couple white papers from Cisco website. They mentions about using "ip tcp > > adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery" > > command. I tried to apply these commands on the routers at the 2 > endpoints > > of the tunnel but it still didn't work. I see myself running into the > > confusion and have couple questions regarding: > > > > - What's the difference between "ip tcp adjust-mss " and "ip mtu > > " commands? > > - Which one should I use? or both? > > - Which and where I should apply these commands? on the tunnel interfaces, > > Ethernet segment, or on the Internet interface? > > > > Below is my topology. Client machine needs to pass through the tunnel, > then > > hit the Proxy Server for Internet access. Again, thank you All for the > > HELP!!! > > > > > > Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE > > tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet > > > > > > > > Thomas > > > > > > > > ""Richard Deal"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > It's probably an MTU problem. > > > > > > I have an IPSec connection being tunneled via GRE, which in turn, is > > > tunneled by another IPSec connection. Don't ask why I'm doing this :-) > But > > > we had to set the MTU down to 1320 to prevent fragmentation, and thus > > > performance, issues. > > > > > > In your case, you might want to try using the extended ping with the "no > > > fragment" option to determine which MTU size will work in your > situation. > > > > > > Cheers! > > > > > > Richarde > > > ""Thomas N."" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hi All, > > > > > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > > > (Cisco > > > > 2600 routers). I could get the tunnel up and running between the two > > LANs > > > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 > > LANs > > > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > > > However, a problem come up when I put a Proxy Server on the first LAN > > and > > > > force Internet traffic from workstations from the second LAN to go out > > > with > > > > this Proxy server. Workstations from the second LAN could browse > > Internet > > > > across the tunnel to reach the Proxy server then hit the Internet; > > > however, > > > > the performance is very poor (seem like browsing over a 56k modem). I > > am > > > > thinking this may be because of fragmentation on the 2 routers. Is > > there > > > > any work around for this issue? If MTU size needs to be adjusted, > what > > > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" > mode? > > > > Again, thank you All for the help! > > > > > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54754&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
10/3/20029:45pm Thursday When I loook @ the link you referenced I can honestly see why I love Cisco & truly regret working on Bay/Nortel routers & switches for 2 1/2 years before ever touching Cisco & letting my ego headed boss bully me into getting the Nortel Networks Certified Support Expert ! Try to find something like this link on Nortel's useless web site. Try to find out how to recover the password on theie ASN router by looking on thier useless web site ! All they have is marketing. Cisco tells us how to do the job. Good Night wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > I think the following URL could help: > > http://www.cisco.com/warp/public/105/56.html > > Regards, > > Alaerte > > > > > > > "Richard Deal" @groupstudy.com em 01/10/2002 > 13:26:29 > > Favor responder a "Richard Deal" > > Enviado Por: [EMAIL PROTECTED] > > > Para: [EMAIL PROTECTED] > cc: > > Assunto:Re: VPN tunnel with IPSec over GRE [7:54634] > > > It's probably an MTU problem. > > I have an IPSec connection being tunneled via GRE, which in turn, is > tunneled by another IPSec connection. Don't ask why I'm doing this :-) But > we had to set the MTU down to 1320 to prevent fragmentation, and thus > performance, issues. > > In your case, you might want to try using the extended ping with the "no > fragment" option to determine which MTU size will work in your situation. > > Cheers! > > Richarde > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > (Cisco > > 2600 routers). I could get the tunnel up and running between the two > LANs > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 > LANs > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > However, a problem come up when I put a Proxy Server on the first LAN and > > force Internet traffic from workstations from the second LAN to go out > with > > this Proxy server. Workstations from the second LAN could browse > Internet > > across the tunnel to reach the Proxy server then hit the Internet; > however, > > the performance is very poor (seem like browsing over a 56k modem). I am > > thinking this may be because of fragmentation on the 2 routers. Is there > > any work around for this issue? If MTU size needs to be adjusted, what > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > Again, thank you All for the help! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54846&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
