Re: [c-nsp] gre tunnel mtu mismatch

On Thu, Oct 4, 2018, at 13:33, Gert Doering wrote: > On Wed, Oct 03, 2018 at 02:42:22PM -0700, Mike wrote: > > > > I have tried setting in the tunnel interface "ip mtu 1476" but I get an > > error: > > > > ip mtu 1476 > > IP MTU not supported on interface Tunnel0 > > Well, reasonable equipment s

Re: [c-nsp] gre tunnel mtu mismatch

Hi, On Wed, Oct 03, 2018 at 03:46:30PM -0600, Raymond Burkholder wrote: > On 2018-10-03 3:42 p.m., Mike wrote: > > I have an ME3600 and an ASR920. Im trying to run ospf over a gre > > tunnel and having issues because OSPF seems to see a different tunnel > > mtu on either end of the link. > > on

Re: [c-nsp] gre tunnel mtu mismatch

Hi, On Wed, Oct 03, 2018 at 02:42:22PM -0700, Mike wrote: > On the me3600, the transport MTU is 8976 bytes, while on the ASR920 it's > 1476. The me3600 has most of it's interfaces with a 9216 bytes, while on > the asr920 the single internet facing interface has a 1500byte mtu. > > > I have tri

Re: [c-nsp] gre tunnel mtu mismatch

On 2018-10-03 3:42 p.m., Mike wrote: I have an ME3600 and an ASR920. Im trying to run ospf over a gre tunnel and having issues because OSPF seems to see a different tunnel mtu on either end of the link. on other cisco gear I've worked, there has been a parameter in ospf to ignore mtu, I belie

[c-nsp] gre tunnel mtu mismatch

Hi, I have an ME3600 and an ASR920. Im trying to run ospf over a gre tunnel and having issues because OSPF seems to see a different tunnel mtu on either end of the link. On the me3600, the transport MTU is 8976 bytes, while on the ASR920 it's 1476. The me3600 has most of it's interfaces with

Re: [c-nsp] GRE tunnel (inside ICMP fails after two pings) - Wits End

Try turning off keep alive on the Cisco side (“no keepalive"). I’ve seen issues with GRE tunnels to non-Cisco boxen with that enabled (even when the other side supposedly supports it) Chris > On 24 Aug 2018, at 9:09 am, David Deutsch wrote: > > Hoping the list can help with this one. > > I

Re: [c-nsp] GRE tunnel (inside ICMP fails after two pings) - Wits End

Have you run a packet capture on your Linux box to see if the Linux box is sending more than two echo requests / that it is receiving more than two echo requests from the router? Have you run an embedded packet capture on the ASR1k to see what it sends / receives? What do you see in your inter

[c-nsp] GRE tunnel (inside ICMP fails after two pings) - Wits End

Hoping the list can help with this one. I have a basic GRE tunnel between my Cisco ASR1006 and a Linux box. On the Cisco side: interface Tunnel100 description Tun 100 - BPT ip address 172.16.100.1 255.255.255.0 tunnel source x.x.136.1 tunnel destination x.x.x.234 I have several of these bas

[c-nsp] GRE Tunnel

Has anybody configured a GRE tunnel between a Cisco router and a NSX Edge? I am going to give it a try, hopefully someone can confirm its possible? Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisc

Re: [c-nsp] GRE tunnel issue - ASR 903

Hello Gauthier, Thanks for your feedback. I'll find out another way then. Regards, Mouniri ⁣Envoyé par BlueMail ​ Le 13 mars 2018 à 14:28, à 14:28, Gauthier DOUCHET a écrit: >Hello Mouniri, > >I met the same problem with a GRE tunnel on ARS920. >At this moment, I haven't found a working solut

Re: [c-nsp] GRE tunnel issue - ASR 903

Hello Mouniri, I met the same problem with a GRE tunnel on ARS920. At this moment, I haven't found a working solution. I tried to play with MTU values but didn't seem to have an impact. Gauthier 2018-03-12 21:24 GMT+01:00 Mouniri Md : > Hello all, > > I tested gre tunnel on a ASR 903 and I have

[c-nsp] GRE tunnel issue - ASR 903

Hello all, I tested gre tunnel on a ASR 903 and I have slow speed (less than 10Mbps) when doing some iperf test whereras when gre tunnel is not used I can reach the wire speed. I tried to play with the mtu without success. Do someone have already experiencing this? It looks like that gre trafic

Re: [c-nsp] GRE tunnels on 9k

ospf 200 area 0.0.0.0 tunnel source xx.xx.xx.xx tunnel destination xx.xx.xx.xx mtu 9000 bandwidth 10 no shutdown From: Arie Vayner [mailto:ar...@vayner.net] Sent: Monday, June 26, 2017 10:42 AM To: Nick Cutting ; cisco-nsp (cisco-nsp@puck.nether.net) Subject: Re: [c-nsp] GRE tunnels

Re: [c-nsp] GRE tunnels on 9k

n nexus 9k, rather than ASR9000 > And the ASr920 tunnels were ASR - ASR, not ASR -> nexus > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Nick Cutting > Sent: Tuesday, June 20, 2017 9:25 AM > To: cisco-nsp (cisco-ns

Re: [c-nsp] GRE tunnels on 9k

net) Subject: [c-nsp] GRE tunnels on 9k Good morning, I am having some really crazy results when testing GRE tunnels on nexus 9k's. They seem to work about 10 percent of the time. I am going a little mad thinking about where the stars and planets were when these tunnels worked. This is with th

[c-nsp] GRE tunnels on 9k

Good morning, I am having some really crazy results when testing GRE tunnels on nexus 9k's. They seem to work about 10 percent of the time. I am going a little mad thinking about where the stars and planets were when these tunnels worked. This is with the source and destination in the global ta

Re: [c-nsp] GRE fragmentation and ASR9001

On 22/08/15 01:08, Jeff Bacon wrote: OK, I agree - so what sort of device would that be, if one were to go look for one? Firewall. I know for a fact that Juniper SRX high-end devices will reassemble and then re-fragment on transmission - sometimes not on the same fragment boundaries - for

Re: [c-nsp] GRE fragmentation and ASR9001

> On Tue, 11 Aug 2015, Gert Doering wrote: > > > Indeed... "it might be implemented eventually, but today it isn't, so > > if you turn it on, your packets will be destroyed in creative ways" :-) > > > > But I'm relieved that it's not only me who can't find a formal word on this. > > With the kind

Re: [c-nsp] GRE fragmentation and ASR9001

On (2015-08-11 12:20 +0200), Mikael Abrahamsson wrote: Hey, > Re-assembly of fragmented packets is typically something that routers do not > do. As soon as you need to keep state across packets you need a fairly > differently engineered device. You need some state during fragmentation as well. I

Re: [c-nsp] GRE fragmentation and ASR9001

Hi Gert, > Adam Vitkovsky IP Engineer T: 0333 006 5936 E: adam.vitkov...@gamma.co.uk W: www.gamma.co.uk This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it

Re: [c-nsp] GRE fragmentation and ASR9001

On Tue, 11 Aug 2015, Gert Doering wrote: Indeed... "it might be implemented eventually, but today it isn't, so if you turn it on, your packets will be destroyed in creative ways" :-) But I'm relieved that it's not only me who can't find a formal word on this. With the kind of router that ASR9

Re: [c-nsp] GRE fragmentation and ASR9001

Hi, On Tue, Aug 11, 2015 at 09:43:47AM +, Adam Vitkovsky wrote: > IPV4_FRAG_TUNNEL Punt Not > implemented by ucode > -this one actually concerns me > -does it mean it's going to be slow, or punted to RP, or just dropped > -not sure what I should ma

Re: [c-nsp] GRE fragmentation and ASR9001

rincipal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY. -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Gert Doering > Sent: 11 August 2015 09:53 > To: cisco-nsp@puck.nether.net > Subject: [c

[c-nsp] GRE fragmentation and ASR9001

Hi, my google fu is failing me - so apologies if this is in easily findable documentation... I want (need) to connect two ASR9001s over a GRE tunnel "across the public Internet" (= outside MTU 1500), but need to provide a larger inner MTU (~1600). So, fragmentation and reassembly required. Easy

Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

lf Of Gert Doering Sent: Wednesday, July 15, 2015 3:24 PM To: a.l.m.bu...@lboro.ac.uk Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue Hi, On Wed, Jul 15, 2015 at 06:55:57PM +, a.l.m.bu...@lboro.ac.uk wrote: > (though more googling finds statement o

Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

Hi, On Wed, Jul 15, 2015 at 06:55:57PM +, a.l.m.bu...@lboro.ac.uk wrote: > (though more googling finds statement of no official > support for GRE even on 3750-X or that it cannot terminate GRE... well, the > commands are there and the tunnel works.. Classic IOS misfeature - "if the hardware

Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

> On 15 Jul 2015, at 20:50, a.l.m.bu...@lboro.ac.uk wrote: > > Hi, > >>> we have a GRE tunnel between a 6506 (sup2T) running IOS 15.1 and a 3750 >>> running IOS 15.2 >> >> 3750 doesn’t support GRE, you’re hitting limitation of the platform. >> It’s miracle it works - mostly propably, because i

Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

Hi, > we have a GRE tunnel between a 6506 (sup2T) running IOS 15.1 and a 3750 > running IOS 15.2 just to correct my shoddy problem statement, its s 6506E chassis with Sup2T and a 3750x (12s)(though more googling finds statement of no official support for GRE even on 3750-X or that it cann

Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

Hi, > > we have a GRE tunnel between a 6506 (sup2T) running IOS 15.1 and a 3750 > > running IOS 15.2 > > 3750 doesn’t support GRE, you’re hitting limitation of the platform. > It’s miracle it works - mostly propably, because it hits software > forwarding path, and even if it’s not supported, it

Re: [c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

> On 15 Jul 2015, at 19:34, a.l.m.bu...@lboro.ac.uk wrote: > > hi, > > okay...have googled and looked around...and no current joy. Tunnel bandwidth configured on the interface, or being default is only for information, and is not being enforced in any way. > we have a GRE tunnel between a 650

[c-nsp] GRE tunnel 8000kbit (8Mbit) limit issue

hi, okay...have googled and looked around...and no current joy. we have a GRE tunnel between a 6506 (sup2T) running IOS 15.1 and a 3750 running IOS 15.2 both ends report the tunnel interface as having the following details/limits Tunnel TTL 255, Fast tunneling enabled Path MTU Discovery,

Re: [c-nsp] GRE and MSS adjust on ASR9K

alf Of John > Neiberger > Sent: Saturday, December 07, 2013 6:26 AM > To: Blake Dunlap > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] GRE and MSS adjust on ASR9K > > > > Thanks! My Google-Fu must be weak. That page didn't turn up for me > > desp

Re: [c-nsp] GRE and MSS adjust on ASR9K

t: Re: [c-nsp] GRE and MSS adjust on ASR9K Thanks! My Google-Fu must be weak. That page didn't turn up for me despite multiple searches with variations of "IOS XR tcp mss" and things like that. I appreciate the help. On Fri, Dec 6, 2013 at 11:16 PM, Blake Dunlap wrote: > Ap

Re: [c-nsp] GRE and MSS adjust on ASR9K

Thanks! My Google-Fu must be weak. That page didn't turn up for me despite multiple searches with variations of "IOS XR tcp mss" and things like that. I appreciate the help. On Fri, Dec 6, 2013 at 11:16 PM, Blake Dunlap wrote: > Appears to be added in 9k 4.3.2 based on documentation. > > http://w

Re: [c-nsp] GRE and MSS adjust on ASR9K

Appears to be added in 9k 4.3.2 based on documentation. http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/general/release/notes/reln_432a9k.html#concept_49AEDFA126ED408DBD1B04048C1E24B8 -Blake On Fri, Dec 6, 2013 at 10:40 PM, John Neiberger wrote: > A co-worker is replacing a

[c-nsp] GRE and MSS adjust on ASR9K

A co-worker is replacing a 7600 with an ASR9K running 4.2.3. The 7600 currently terminates a GRE tunnel that requires the tcp mss-adjust command. Neither one of us can find a similar feature in the XR command references. Are we just missing it or does this code not have that feature? It seems like

Re: [c-nsp] GRE tunnel routes not making it into FIB - 2911/K9

Hi Tim, The fact that you are seeing the physical interface (gig0/0) is normal, as it is the recursive adjacency and ultimately the interface through which will exit the box. You can do a "show ip cef 0.0.0.0 0.0.0.0 int" if you want to see more details about the recursion. The issue is somewhere

[c-nsp] GRE tunnel routes not making it into FIB - 2911/K9

I have a customer with a strange problem that I can duplicate on a similar set up. We are both using Cisco 2911 routers. His is running version 15.1(4)M5 (base license), and mine is running 15.0(1)M6. What's happening is this: There is a GRE tunnel set up between his router (a 2911) and mine (a

[c-nsp] GRE support in IOS-XR-12K

 Hi Does any one has any idea if GSR-12K With IOS-XR support GRE Tunnels. Appericiate if someone could send me a sample config Thanks Amit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archi

Re: [c-nsp] GRE Throughput

bile: +46 70 962 71 03gustav.ulan...@steria.se www.steria.se-cisco-nsp-boun...@puck.nether.net skrev: -Till: Samir Abidali Från: Gert Doering Sänt av: cisco-nsp-boun...@puck.nether.netDatum: 2013-03-18 14:44Kopia: "cisco-nsp@puck.nether.net" Ärende: Re: [c-nsp] GRE ThroughputHi,On Mon

Re: [c-nsp] GRE Throughput

On Mon, Mar 18, 2013 at 12:34:08PM +0100, Gert Doering wrote: > On Mon, Mar 18, 2013 at 01:21:28PM +0300, Samir Abidali wrote: > > I wonder if someone can guide me for my search for that is a good Cisco > > device for GRE tunnel with a throughput of 100 mbps. > > What *else* is it supposed to do?

Re: [c-nsp] GRE Throughput

Hi, On Mon, Mar 18, 2013 at 01:21:28PM +0300, Samir Abidali wrote: > I wonder if someone can guide me for my search for that is a good Cisco > device for GRE tunnel with a throughput of 100 mbps. What *else* is it supposed to do? 1 Gig ports, 10 Gig ports, BGP, ...? 100 mbps of GRE should be d

[c-nsp] GRE Throughput

Hi I wonder if someone can guide me for my search for that is a good Cisco device for GRE tunnel with a throughput of 100 mbps. Can you please advice ? Thank you Best Regards Samir Abid Ali Core Network Manager Gorannet ISP Mobile:07703-587-625 Office:053 5111 000 ext. 1032 __

Re: [c-nsp] GRE tunnel over Internet

is it Cisco? what is the statement for redistribution? Are you using key word "subnets" with the redistribute statement? Regards, *Ali Sumsam CCIE* *Network Engineer - Level 3* eintellego Pty Ltd a...@eintellego.net ; www.eintellego.net Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)410

Re: [c-nsp] GRE tunnel over Internet

Chris Lane > Sent: December-06-12 12:46 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] GRE tunnel over Internet > > We are working on setting up a test where we run a GRE tunnel across the > Internet, put OSPF between the tunnel and inject routes. > > I can get OSPF to f

Re: [c-nsp] GRE tunnel over Internet

Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Lane Sent: December-06-12 12:46 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] GRE tunnel over Internet We are working on setting up a test where we run a GRE tunnel across the

Re: [c-nsp] GRE tunnel over Internet

Try debug IP ospf adj could be MTU problem? Jon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE tunnel over Internet

People run all sorts of routing protocols over the IPSEC/GRE tunnel successfully (yeah, IPSEC to be more secure)...must be some configuration errors then... r/g -lmn On Thu, Dec 6, 2012 at 12:46 PM, Chris Lane wrote: > We are working on setting up a test where we run a GRE tunnel across the >

Re: [c-nsp] GRE tunnel over Internet

On 06/12/12 17:46, Chris Lane wrote: We are working on setting up a test where we run a GRE tunnel across the Internet, put OSPF between the tunnel and inject routes. I can get OSPF to form an adjacency but i cannot get routes to redistribute, nor inject by a network statement. What platform?

[c-nsp] GRE tunnel over Internet

We are working on setting up a test where we run a GRE tunnel across the Internet, put OSPF between the tunnel and inject routes. I can get OSPF to form an adjacency but i cannot get routes to redistribute, nor inject by a network statement. Anyone do such ? Any help or suggestions would be great

Re: [c-nsp] GRE tunnel bandwidth

ces doing the tunnel endpoints is high because >> of the encapsulation, or else the tunnel MTU is affecting the clients (if >> TCP). >> >> Chuck >> >> -Original Message- >> From: cisco-nsp-boun...@puck.nether.net >> [mailto:cisco-nsp-boun...@puck

Re: [c-nsp] GRE tunnel bandwidth

> > Chuck > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger > Sent: Saturday, August 04, 2012 11:57 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] GRE tunnel bandwidth &g

Re: [c-nsp] GRE tunnel bandwidth

cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger > Sent: Saturday, August 04, 2012 11:57 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] GRE tunnel bandwidth > > I have some users experiencing slow file transfers over a

Re: [c-nsp] GRE tunnel bandwidth

f the encapsulation, or else the tunnel MTU is affecting the clients (if TCP). Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger Sent: Saturday, August 04, 2012 11:57 AM To: cisco-nsp@puck.nether.net Subject: [

[c-nsp] GRE tunnel bandwidth

I have some users experiencing slow file transfers over a GRE tunnel. The tunnel is riding over 10-gig links. I see that the default tunnel bandwidth is 8 Mbps. Does that mean that the tunnel is rate limited to that value? If so, is the simple solution raising the bandwidth with the "tunnel bandwid

Re: [c-nsp] GRE tunnels between Cisco ME3600X

That's correct. ME3600X does not currently support GRE. -Waris -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, April 17, 2012 5:58 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp

Re: [c-nsp] GRE tunnels between Cisco ME3600X

On 17/04/12 17:03, paul.ma...@agencyport.com wrote: It certainly sounds like a plausible explanation. I guess my next question is can I force a CEF punt? I'm not an expert on the ME3600 platforms, but based on how this kind of thing has worked on other hardware-based Cisco platforms (Catalyst

Re: [c-nsp] GRE tunnels between Cisco ME3600X

It certainly sounds like a plausible explanation. I guess my next question is can I force a CEF punt? -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: 17 April 2012 14:10 To: paul.ma...@agencyport.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] GRE tunnels

Re: [c-nsp] GRE tunnels between Cisco ME3600X

Hi, On Tue, Apr 17, 2012 at 01:40:46PM +0100, paul.ma...@agencyport.com wrote: > I have a GRE tunnel established between two of these things, they show > up in each other's CDP neighbours, a BGP session is established between > them, and they are exchanging routes. BGP learned routes are inserted

Re: [c-nsp] GRE tunnels between Cisco ME3600X

On 17/04/12 13:40, paul.ma...@agencyport.com wrote: Hi there, Has anyone had any success with the Cisco ME3600X and GRE tunnelling? I gather it's not officially supported but it does accept the commands and does seem to work ... sort of. I have a GRE tunnel established between two of these

[c-nsp] GRE tunnels between Cisco ME3600X

Hi there, Has anyone had any success with the Cisco ME3600X and GRE tunnelling? I gather it's not officially supported but it does accept the commands and does seem to work ... sort of. I have a GRE tunnel established between two of these things, they show up in each other's CDP neighbours,

Re: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?

: Tuesday, December 27, 2011 11:30 PM To: c-nsp Subject: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ? Hi guys Is GRE tunnelling supported on this platform? I can see no reference to it in any of the configuration guides - but also no reference to it in the unsupported commands section. Has

Re: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?

On Wed, Dec 28, 2011 at 1:30 AM, Reuben Farrelly wrote: > Hi guys > > Is GRE tunnelling supported on this platform? Yes, but the cpu-switch asic interface is *not* fast. you'll see ~1mbit usable through it (same as on 3550, 3560, 3750). these are "not good" devices for this need. if you needed lo

Re: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?

On (2011-12-28 18:30 +1100), Reuben Farrelly wrote: Hey, > Is GRE tunnelling supported on this platform? No clue, but probably possible in magic fpga. > We've a need to run GRE tunnels for a URL filtering solution at our > Head Office from outside the firewall, and policy routing + GRE is > the

[c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?

Hi guys Is GRE tunnelling supported on this platform? I can see no reference to it in any of the configuration guides - but also no reference to it in the unsupported commands section. Has anyone tried to do this? We've a need to run GRE tunnels for a URL filtering solution at our Head Offi

Re: [c-nsp] GRE over IPSEC wtf?!

Hi, On Wed, Oct 26, 2011 at 11:58:43AM -0200, Persio Pucci wrote: > I have read somewhere that GRE tunnels need exclusivity on their loopbacks > (can't share it with other tunnels), does that really apply? Only on 6500/7600 (every tunnel needs a distinctive local address, otherwise processing wi

Re: [c-nsp] GRE over IPSEC wtf?!

Ding ding ding, we got a winner! "tunnel vrf" did the job. Thank you for all your input! On Wednesday, October 26, 2011, Peter Rathlev wrote: > On Wed, 2011-10-26 at 11:29 -0200, Persio Pucci wrote: >> Here is the rundown on the configs (again, my side but I assume the other >> side is fine and

Re: [c-nsp] GRE over IPSEC wtf?!

-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Persio Pucci Sent: Wednesday, October 26, 2011 9:59 AM To: Phil Mayers Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] GRE over IPSEC wtf?! I'll try some of those later, for now I think they are doing something on the oth

Re: [c-nsp] GRE over IPSEC wtf?!

On Wed, 2011-10-26 at 11:29 -0200, Persio Pucci wrote: > Here is the rundown on the configs (again, my side but I assume the other > side is fine and there's not much on the tunnel cfg to be wrong). IPs > removed to protect the innocent. ... > interface Loopback100 > description LOOPBACK GRE > ip

Re: [c-nsp] GRE over IPSEC wtf?!

oh well I will have to check with the other party, not sure what are they using... On Wed, Oct 26, 2011 at 12:01 PM, Phil Mayers wrote: > On 26/10/11 14:58, Persio Pucci wrote: > >> I'll try some of those later, for now I think they are doing something >> on the other side as phase 1 is not estab

Re: [c-nsp] GRE over IPSEC wtf?!

On 26/10/11 14:58, Persio Pucci wrote: I'll try some of those later, for now I think they are doing something on the other side as phase 1 is not establishing anymore. I have read somewhere that GRE tunnels need exclusivity on their loopbacks (can't share it with other tunnels), does that really

Re: [c-nsp] GRE over IPSEC wtf?!

I'll try some of those later, for now I think they are doing something on the other side as phase 1 is not establishing anymore. I have read somewhere that GRE tunnels need exclusivity on their loopbacks (can't share it with other tunnels), does that really apply? On Wed, Oct 26, 2011 at 11:45 AM

Re: [c-nsp] GRE over IPSEC wtf?!

On 26/10/11 14:29, Persio Pucci wrote: crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac I think you want "mode transport" here interface Loopback100 description LOOPBACK GRE ip vrf forwarding CUSTOMER ip address y.y.y.y 255.255.255.255 You might need the "crypto map" here

Re: [c-nsp] GRE over IPSEC wtf?!

> > VPN#sh crypto engine connections active > ID InterfaceIP-Address State Algorithm > Encrypt Decrypt > 1478 Fa0/0.100mypeer setHMAC_MD5+3DES_56_C0 > 0 > 2011 Fa0/0.100mypeer set3DES+SHA 0 >224 > 201

Re: [c-nsp] GRE over IPSEC wtf?!

Phill, 3745 on my side, using 12.4(25c). Here is the rundown on the configs (again, my side but I assume the other side is fine and there's not much on the tunnel cfg to be wrong). IPs removed to protect the innocent. ip vrf CUSTOMER rd 1:25 route-target export 1:25 route-target import 1:25

Re: [c-nsp] GRE over IPSEC wtf?!

On 26/10/11 14:15, Persio Pucci wrote: Hi all, I am trying to get a GRE tunnel to work over IPSEC but as expected I am running into problems, just not the expected ones. Phase 1 is fine and established, Phase 2 is fine, SAs are in place. We can mutually ping our loopbacks, and we see encaps/dec

[c-nsp] GRE over IPSEC wtf?!

Hi all, I am trying to get a GRE tunnel to work over IPSEC but as expected I am running into problems, just not the expected ones. Phase 1 is fine and established, Phase 2 is fine, SAs are in place. We can mutually ping our loopbacks, and we see encaps/decaps increasing as we ping the loopbacks.

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

On Saturday, October 08, 2011 04:09:58 AM Dustin Schuemann wrote: > I believe we have solved the issue. We tag our telnet and > sip packets as AF 41. Removing the dscp AF 41 from these > packets fixes the issue. A case of GBLX not remarking ingress "Internet" traffic from customers to 'DSCP def

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

tober 05, 2011 9:22 PM > To: Phil Mayers > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers > > Today I also noticed that all these connections are going over comcast > business. Anyone seen anything like this? > > On T

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

er.net] On Behalf Of Dustin Schuemann Sent: Wednesday, October 05, 2011 9:22 PM To: Phil Mayers Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers Today I also noticed that all these connections are going over comcast business. Anyone seen anything

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

Today I also noticed that all these connections are going over comcast business. Anyone seen anything like this? On Tue, Sep 27, 2011 at 5:43 PM, Dustin Schuemann wrote: > Do you have any other suggestions. TAC is kinda going around in circles. > On Sep 27, 2011, at 3:43 AM, Phil Mayers wrote: >

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

Do you have any other suggestions. TAC is kinda going around in circles. On Sep 27, 2011, at 3:43 AM, Phil Mayers wrote: > On 09/27/2011 12:38 AM, Dustin Schuemann wrote: >> Disabling CEF didn't correct the issue. >> > > I'm not surprised. I'm amazed TAC would even suggest it. > > Disabling CE

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, September 27, 2011 3:44 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers On 09/27/2011 12:38 AM, Dustin Schuemann wrote: > Disabling CEF didn't correct

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

Hey Dustin, We seen similar issue but with NAT enabled and that was on 12.4(15)T14, where first TCP SYN drops. Check bug CSCti13229. On 26/09/11 02:01, Dustin Schuemann wrote: We have about 200 sites connected to us via GRE tunnels over IPSEC over MPLS for primary connectivity, and GRE over

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

On 09/27/2011 12:38 AM, Dustin Schuemann wrote: Disabling CEF didn't correct the issue. I'm not surprised. I'm amazed TAC would even suggest it. Disabling CEF on modern IOS isn't sensible. The slower code paths don't get properly tested any more, and whole (large) chunks of functionality on

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

n a loopback interface. > Works ok in other version and works fine if I disable CEF. > > -Vinny > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dustin Schuemann > Sent: Sunday, September 25, 2011 6

Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

uck.nether.net] On Behalf Of Dustin Schuemann Sent: Sunday, September 25, 2011 6:01 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers We have about 200 sites connected to us via GRE tunnels over IPSEC over MPLS for primary connectivity, and GRE o

[c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

We have about 200 sites connected to us via GRE tunnels over IPSEC over MPLS for primary connectivity, and GRE over IPSEC over the Internet for backup, and EIGRP routing handling the failover. Most of them are 2811HSEC/K9's, and they're working great. We've recently discovered issues with a cou

Re: [c-nsp] GRE Tunnel interface on NX-OS 5.1

On 14/07/11 16:59, Matthew Melbourne wrote: Does the following GRE tunnel configuration fall foul of (b); I'm Yes. interpreting the tunnel transport to be the VRF of the tunnel source/destination, which in this case is different to the VRF of the tunnel itself? interface Tunnel0 vrf me

[c-nsp] GRE Tunnel interface on NX-OS 5.1

We are running NX-OS 5.1(3) on a N7k, and am trying to configure a GRE tunnel between it and a Catalys 6509. We are finding that certain traffic flows across the GRE tunnel (e.g. where the destination is an SVI on Nexus within PRI_VRF, but not to a host in PRI_VRF connected to Nexus. There is the

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

On Wednesday, July 06, 2011 12:08:53 PM Jason Gurtz wrote: > A firm has proposed creating a GRE tunnel between two datacenters (using a > 3750X stack at each) to create the spanned vlans needed for VMWare > failover application. > Clearly there is tunnel overhead but I sense there are other failur

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

On Thursday, July 07, 2011 01:38:38 AM Derick Winkworth wrote: > I thought about that, but then decided not to recommend > it. Its definitely the simplest, but its also not > really the best design in my opinion. If only Cisco > had a smaller unit that could do MPLS VPNs *and* VPLS. > That wo

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

On Thursday, July 07, 2011 01:48:46 AM Jason Lixfeld wrote: > ME-3600? Supports L2 VPN and L3 VPN today. FCS+1 is > supposed to support VPLS, which should be out any day > now, as far as I understand. I guess they killed the > ME-3800. Not really. The ME3800X still provides higher scaling num

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

Is there a vendor in the middle? Perhaps QinQ tagging would be an option here. > > A firm has proposed creating a GRE tunnel between two datacenters (using > a > > 3750X stack at each) to create the spanned vlans needed for VMWare > > failover application. > > > > Clearly there is tunnel overhe

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

On Wed, Jul 6, 2011 at 22:03, Jason Lixfeld wrote: > Not sure about the SFP/XFP thing tho.  Why would you want an XFP? I said SFP+, not SFP. XFP mainly for 10GE DWDM/longhaul uplinks. Afaik the big vendors only supply uncolored 40km (-ER) SFP+ modules. I hear some Chinese vendors now also have DW

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

Indeed. I bitch slapped myself for assuming it would be in the same place the ME3600 is located. Not sure about the SFP/XFP thing tho. Why would you want an XFP? On 2011-07-06, at 3:59 PM, Daniel Verlouw wrote: > On Wed, Jul 6, 2011 at 19:48, Jason Lixfeld wrote: >> I guess they killed the

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

On Wed, Jul 6, 2011 at 19:48, Jason Lixfeld wrote: >  I guess they killed the ME-3800. sure? Still on the website; Nice boxes, but wish they put XFPs in it though instead of SFP+... --Daniel. __

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

> Since GRE isn't supported on the 3750, it seems like a non-starter. While > you can configure GRE, it is all done in software thus impacting all > control plane traffic. As well bridging isn't supported over GRE. Quite an interesting point here. I remember looking at the guy funny when he said i

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

> If I get the pictures right, you could get away with a VLAN on C1 with > two ports in dot1q tunnel mode + l2protocol tunnel stp, and a similar > situation in C2, so V1 and V2 will have their own spanning tree and C1 > and C2 will not partecipate in it (if you need also L3 in V1/V2, you will > hav

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Gauthier wrote: > Hello, > > I am not sure that you can bridge two subnets together using GRE, so > you may need some additional technology if your goal is to make the > same subnet/IP float dynamically between locations. > > With that said, if

  1   2   >