[j-nsp] GRE Tunnel bet JUNIPER and CISCO
People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO
Generally, this issue is related to MTU and fragmentation. If you have a problem with loading web-pages and slow tcp response, you better try adjusting tcp-mss settings on your cisco router. You can use the following command under tunnel interface, most of the time it works for me :) interface tunnelX ip tcp adjust-mss 1436 On juniper side you can add the following knobs under the gr interface conf gr-x/x/x { unit x { clear-dont-fragment-bit reassemble-packets tunnel { path-mtu-discovery Thanks BR// Masood People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO
Hi Giuliano, We have configured that like: CISCO: - interface Tunnel0 ip address 172.20.1.1 255.255.255.252 keepalive 10 3 tunnel source FastEthernet0/0 tunnel destination 192.168.1.2 tunnel path-mtu-discovery ---IMPORTANT interface FastEthernet0/1 description LAN INTERFACE ip address 10.0.0.254 255.255.255.0 ip nat inside duplex auto speed auto ! ! interface FastEthernet0/0 description Internet Interface ip address 192.168.1.1 255.255.255.0 ip access-group allow-gre in ip nat inside duplex auto speed auto ! ! ip access-list extended allow-gre permit gre any any JUNIPER --- gr-0/2/0 { unit 0 { description Tunnel GRE Cisco-Juniper; tunnel { source 192.168.1.2; destination 192.168.1.1; } family inet { mtu 1514; address 172.20.1.2/30; } El 03/11/2010 13:04, Giuliano Cardozo Medalha escribió: People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO
I recently had and a similar issue between a Juniper and a Cisco router, I resolved some of those symptoms by adjusting the tcp maximum segment size. You may have to play with this setting until it yields the best result. I use the ip tcp adjust-mss 1300 and applied it to the interfaces used. This size seemed to yeild the best results for my scenario. Todd Linder Network Support Engineer OneNet Oklahoma's Telecommunications Network -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Giuliano Cardozo Medalha Sent: Wednesday, November 03, 2010 8:04 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO
Is this an encrypted GRE tunnel over the internet? The recommended MTU is 1400 bytes on both ends. Use the clear-dont-fragment-bit knob on the juniper side, and do ip tcp mss-adjust 1360 on the Cisco side. Also on the Cisco side, ingress interfaces should have a route-map applied to clear the df bit of the packets similar to the following: route-map clear-df-bit permit 10 set ip df 0 interface fa0/0 ip policy route-map clear-df-bit Note that crypto ipsec clear df on the Cisco side does not work for traffic passing through GRE tunnels, and you should not have this command enabled if you are doing encrypted GRE tunnels. Similarly on the Juniper side, under the ipsec-vpn rule you should not configure the clear-dont-fragment-bit option (I forget the exact knob name, but its there). The reason for this is that if you configure path-mtu-discovery these options will break it. As noted below, you may have to lower the MTU or the tcp-adjust depending on the ciphers you are using. As much as possible, you want to avoid fragmenting and reassembling GRE or IPsec packets. I would lower the MTU and tcp mss-adjust until you stop seeing GRE and IPSec fragmentation. There are some odd bugs related to the clear-dont-fragment-bit option on the Juniper end. If you are doing packet classification ingress on the router, all packets must be classified with a loss-priority of low. Otherwise packets will get blackholed if the next-hop is over the GRE tunnel. I think this is fixed in 10.0S8, but not in 10.0R4. Probably is fixed in 10.2R3, but I haven't tested. From: Linder, Todd t...@onenet.net To: giulian...@uol.com.br; juniper-nsp@puck.nether.net Sent: Wed, November 3, 2010 9:15:02 AM Subject: Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO I recently had and a similar issue between a Juniper and a Cisco router, I resolved some of those symptoms by adjusting the tcp maximum segment size. You may have to play with this setting until it yields the best result. I use the ip tcp adjust-mss 1300 and applied it to the interfaces used. This size seemed to yeild the best results for my scenario. Todd Linder Network Support Engineer OneNet Oklahoma's Telecommunications Network -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Giuliano Cardozo Medalha Sent: Wednesday, November 03, 2010 8:04 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO
As others have mentioned, on the Cisco side you can use ip tcp adjust-mss 1436. On the Juniper side, I'm not sure how widely the reassmble-packets know is supported across platforms, but the alternative is: set security flow all-tcp mss 1436 The only downside is that this will adjust MSS on all traffic, not just GRE. Cheers, Ben On 03/11/2010, at 11:04 PM, Giuliano Cardozo Medalha wrote: People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp