Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco GRE/VPN, strange problem...

Status
Not open for further replies.
KY

KY

Technical User
Mar 28, 2002
25
GB
Need help.
I've got 2 locations terminating at a central location, both are using the Cisco 1712, and the central site is using a 1760. Both remote sites have a successful GRE tunnel back to central. All routing is fine, all network connectivity is fine except for SOME http. This is where it gets odd... (web access is via central, no issues here).
BOTH remote sites report that only some users can reliably access the web. The 'problem' users are always the same devices even if all other traffic across the tunnel is stopped. For these users the page starts to load, then hangs, A packet capture confirms this. Obviously, the common factors are the equipment and the technology, but I'm having a hard time getting any info out of Cisco on this.
Before you ask, the problem pc's are a mix of xp and 2000, and also a mix of ie 5, 5.5 and 6, so I'm discounting a Microsoft issue.

Any ideas, or similar problems much appreciated.
 
Sort by date Sort by votes
Do you have enough bandwidth on the tunnel? Are you getting drops?
 
Upvote 0 Downvote
No, no drops, all other traffic is fine. Our proxy server is getting the requests and sending the replies, but the replies are timing out and getting retransmitted even though all routing is working (can ping & trace from site to proxy & vice versa). Just to further complicate things, I've found that if I set up http server on various routers in the network then the locations can brows to to them just fine... this all points to the proxy BUT we are also running Zonelabs Integrity personal firewalls, and the pc's that HAVE the firewall also work just fine. I'm very confused by all this...
 
Upvote 0 Downvote
Hi,
I'm no native speaker and so I might have understood some things wrong. You said, that all pinging works? Did you try pinging your router from the users pc's where the requests aren't working, did you try the same with the proxy? Maybe the router has no route to the proxy.
You need to check where the replies get lost(Before your router or after your router.

busche
 
Upvote 0 Downvote
Hello!
You need to change MTU on these Tunnel interfaces from 1514 to lower value.
You can change MTU value and see what's happening.
Command:
conf t
int Tunnel x
ip mtu 1400

Regards
Dule
 
Upvote 0 Downvote
Thanks Dule, tried that but got the following message:

PragueTSN(config-if)#mtu 1400
% Interface Tunnel20 does not support adjustable maximum datagram size

Any ideas?
 
Upvote 0 Downvote
You have to enter 'ip mtu 1400' :)
take care
 
Upvote 0 Downvote
KY

I think Dulem is on the right path. I ran into a similar problem awhile back. Some of the PC's were able to get through the GRE tunnel while other couldn't. Yes, it was always the same PC's. The problem turned out to be the mtu size of the packet. I'm not sure how you're connecting to the internet, but I'll assume it's a DSL connection (it doesn't really matter). I don't know if your using IPSec, but I'll assume so. And you have a GRE tunnel established through the IPsec tunnel (typically setup). With all these "tunnels" setup, the overhead added to the packet will exceed the allowable size to be transported across the network. If you're using a cisco router with the righto IOS, you can force the mtu size of all the traffic coming from an interface. Use the following command:

interface FastEthernet 0/0
ip tcp adjust-mss 1360

Notice that this command is applied to the interface on the LAN, not the tunnel (do this on both sides).

This is one approach. The other is to manual set the MTU size on each PC (using an application like DrTCP, but are literlly tons of these types of apps out there).

Hope this helps...
 
Upvote 0 Downvote
Hi bell1996 and dulem,
I've applied both your suggestions, and initial signs are good! I'm just waiting for one location to confirm this as I type. I kind of thought it would be something like this, but I was thinking QOS stuff... had a very hard time finding anything valuable on cisco.com as well. Fingers crossed, thank you both for your help :)
 
Upvote 0 Downvote
Yep, that got it. Just as an extra bit of info, it turns out that the Zonelabs Integrity software firewall adjusts the mtu size on a per pc basis, hence the pc's with this loaded worked while the others didn't.

Result.
 
Upvote 0 Downvote
Thanks landrew, I've bookmarked that link, I think I'll be using it again in the future... As usual with cisco.com, you've got to know the right question to ask, in this case a very literal search would have got the right page... leason learned.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
223
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
204
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
209
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
265
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top