subject:"\[j\-nsp\] GRE Tunnel bet JUNIPER and CISCO"

[j-nsp] GRE Tunnel bet JUNIPER and CISCO

2010-11-03 Thread Giuliano Cardozo Medalha


People,

We are trying to close a GRE tunnel between juniper and Cisco routers 
without success.


We have tried a lot of MTU configurations but the traffic is suffering a 
lot ... sometimes slow, sometimes do not open some pages.


Have you ever configured something like this before ?

Any tip ou configuration related to best practices ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

2010-11-03 Thread masood

Generally, this issue is related to MTU and fragmentation. If you have a
problem with loading web-pages and slow tcp response, you better try
adjusting tcp-mss settings on your cisco router. You can use the following
command under tunnel interface, most of the time it works for me :)

interface tunnelX
ip tcp adjust-mss 1436


On juniper side you can add the following knobs under the gr interface conf


gr-x/x/x {
unit x {
  clear-dont-fragment-bit
  reassemble-packets
  tunnel {
  path-mtu-discovery

Thanks

BR//
Masood


 People,

 We are trying to close a GRE tunnel between juniper and Cisco routers
 without success.

 We have tried a lot of MTU configurations but the traffic is suffering a
 lot ... sometimes slow, sometimes do not open some pages.

 Have you ever configured something like this before ?

 Any tip ou configuration related to best practices ?

 Thanks a lot,

 Giuliano
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

2010-11-03 Thread juniper


Hi Giuliano,

We have configured that like:

CISCO:
-
interface Tunnel0
 ip address 172.20.1.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination 192.168.1.2
 tunnel path-mtu-discovery ---IMPORTANT

interface FastEthernet0/1
 description LAN INTERFACE
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
!
interface FastEthernet0/0
 description Internet Interface
 ip address 192.168.1.1 255.255.255.0
 ip access-group allow-gre in
 ip nat inside
 duplex auto
 speed auto
!
!
ip access-list extended allow-gre
 permit gre any any

JUNIPER
---

gr-0/2/0 {

unit 0 {

description Tunnel GRE Cisco-Juniper;

tunnel {

source 192.168.1.2;

destination 192.168.1.1;

}

family inet {

mtu 1514;

address 172.20.1.2/30;

}




El 03/11/2010 13:04, Giuliano Cardozo Medalha escribió:

People,

We are trying to close a GRE tunnel between juniper and Cisco routers 
without success.


We have tried a lot of MTU configurations but the traffic is suffering 
a lot ... sometimes slow, sometimes do not open some pages.


Have you ever configured something like this before ?

Any tip ou configuration related to best practices ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

2010-11-03 Thread Linder, Todd

I recently had and a similar issue between a Juniper and a Cisco router,
I resolved some of those symptoms by adjusting the tcp maximum segment
size. You may have to play with this setting until it yields the best
result. I use the ip tcp adjust-mss 1300 and applied it to the
interfaces used. This size seemed to yeild the best results for my
scenario.


Todd Linder
Network Support Engineer
OneNet 
Oklahoma's Telecommunications Network
 

-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Giuliano
Cardozo Medalha
Sent: Wednesday, November 03, 2010 8:04 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

People,

We are trying to close a GRE tunnel between juniper and Cisco routers
without success.

We have tried a lot of MTU configurations but the traffic is suffering a
lot ... sometimes slow, sometimes do not open some pages.

Have you ever configured something like this before ?

Any tip ou configuration related to best practices ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

2010-11-03 Thread Derick Winkworth

Is this an encrypted GRE tunnel over the internet?

The recommended MTU is 1400 bytes on both ends. Use the 
clear-dont-fragment-bit knob on the juniper side, and do ip tcp mss-adjust 
1360 on the Cisco side.  Also on the Cisco side, ingress interfaces should 
have 
a route-map applied to clear the df bit of the packets similar to the 
following:  


route-map clear-df-bit permit 10
set ip df 0

interface fa0/0
ip policy route-map clear-df-bit



Note that crypto ipsec clear df on the Cisco side does not work for traffic 
passing  through GRE tunnels, and you should not have this command enabled if 
you  are doing encrypted GRE tunnels.  Similarly on the Juniper side, under the 
 
ipsec-vpn rule you should not configure the clear-dont-fragment-bit  option (I 
forget the exact knob name, but its there).  The reason for this is that if you 
configure path-mtu-discovery these options will break it.

As noted below, you may have to lower the MTU or the tcp-adjust depending on 
the 
ciphers you are using.  


As much as possible, you want to avoid fragmenting and reassembling GRE or 
IPsec 
packets.  I would lower the MTU and tcp mss-adjust until you stop seeing GRE 
and 
IPSec fragmentation.

There are some odd bugs related to the clear-dont-fragment-bit option on the 
Juniper end.  If you are doing packet classification ingress on the router, all 
packets must be classified with a loss-priority of low.  Otherwise packets 
will get blackholed if the next-hop is over the GRE tunnel.  I think this is 
fixed in 10.0S8, but not in 10.0R4.  Probably is fixed in 10.2R3, but I haven't 
tested.


  



From: Linder, Todd t...@onenet.net
To: giulian...@uol.com.br; juniper-nsp@puck.nether.net
Sent: Wed, November 3, 2010 9:15:02 AM
Subject: Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

I recently had and a similar issue between a Juniper and a Cisco router,
I resolved some of those symptoms by adjusting the tcp maximum segment
size. You may have to play with this setting until it yields the best
result. I use the ip tcp adjust-mss 1300 and applied it to the
interfaces used. This size seemed to yeild the best results for my
scenario.


Todd Linder
Network Support Engineer
OneNet 
Oklahoma's Telecommunications Network


-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Giuliano
Cardozo Medalha
Sent: Wednesday, November 03, 2010 8:04 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

People,

We are trying to close a GRE tunnel between juniper and Cisco routers
without success.

We have tried a lot of MTU configurations but the traffic is suffering a
lot ... sometimes slow, sometimes do not open some pages.

Have you ever configured something like this before ?

Any tip ou configuration related to best practices ?

Thanks a lot,

Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

2010-11-03 Thread Ben Dale

As others have mentioned, on the Cisco side you can use ip tcp adjust-mss 1436. 
 On the Juniper side, I'm not sure how widely the reassmble-packets know is 
supported across platforms, but the alternative is:

set security flow all-tcp mss 1436

The only downside is that this will adjust MSS on all traffic, not just GRE.

Cheers,

Ben

On 03/11/2010, at 11:04 PM, Giuliano Cardozo Medalha wrote:

 People,
 
 We are trying to close a GRE tunnel between juniper and Cisco routers without 
 success.
 
 We have tried a lot of MTU configurations but the traffic is suffering a lot 
 ... sometimes slow, sometimes do not open some pages.
 
 Have you ever configured something like this before ?
 
 Any tip ou configuration related to best practices ?
 
 Thanks a lot,
 
 Giuliano
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] GRE Tunnel bet JUNIPER and CISCO

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

6 matches

Site Navigation

Mail list logo

Footer information