Re: [nsp] MTU problem with GRE tunnels

• Next message: Danny McPherson: "Re: [nsp] Connection two cisco routers together via OC3 ?"
• Previous message: philip bridge: "[nsp] MTU problem with GRE tunnels"
• In reply to: Phillip Vandry: "Re: [nsp] MTU problem with GRE tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

It seems that there are two issues:

- some applications are breaking because packets with DF bit set are dropped.
- some hosts (or more likely the firewalls sitting in front of them) have a problem if packets are fragmented.

On the one hand, I do not want to overstate the problem: I am not saying a lot of apps have a lot of problems. But the experience we are making is that the tunnels and the MTU/fragmentation issues they generate are creating enough problems to make us think twice about deploying a VPN service based on them. In this sort of environment it only takes the whiff of problems of this sort to render a service unviable.

Phil

At 13:26 04/06/98 -0400, Phillip Vandry wrote:
>> I'm experiencing problems with fragmentation due to GRE tunnel overhead:
>> the way I understand it, the MTU if a GRE tunnel will always be less than
>> the MTU of the underlying IP cloud due to the IP encapsulation overhead (in
>> our case 1500 bytes). So 1500 byte packets attempting to travers the tunnel
>> will be fragmented.
>
>Correct.
>
>> We're trying to use GRE tunnels extensivly in a VPN service offering, and
>> it seems that there is a lot of critical traffic with 1500 byte packets and
>> with the DF bit set. So it doesn't get through the VPN tunnels. The
>> critical packet length is 1472 bytes.
>>
>> We see this on a variety of platforms (from 2500 to 7507) and a variety of
>> IOS releases (11.1(18)CC, 11.1(2), 11.2(5).
>> Thinking about it, this problem is to be expected...but it seems to render
>> GRE tunnels unuseable in a VPN environment. But I know lots of people are
>> using GRE for this or similar applications...so what am I missing here.
>
>We use some GRE tunnels, but I only do it when I absolutely have to because
>I hate to reduce the effective MTU.
>
>But are you really seeing so many applications that break on this? It
>seems to be those applications are broken. Most applications which send
>large packets with DF set do so in order to implement path MTU discovery
>anyway, which will work through the tunnel.
>
>-Phil
>
>

• Next message: Danny McPherson: "Re: [nsp] Connection two cisco routers together via OC3 ?"
• Previous message: philip bridge: "[nsp] MTU problem with GRE tunnels"
• In reply to: Phillip Vandry: "Re: [nsp] MTU problem with GRE tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:14 EDT