[c-nsp] DMVPN Rollout -- MTU questions
Eric Cables
ecables at gmail.com
Thu May 22 14:04:31 EDT 2008
We are preparing to rollout a dual headend / dual cloud DMVPN solution for
remote sites, distributed throughout the country. We have migrated a couple
of sites over, and have experienced some intermittent connectivity problems,
which appear to be related to MTU settings.
I've read all of the DMVPN documentation (design guide / best practices) I
can find, along with the "Resolve IP Fragmentation, MTU, MSS, and PMTUD
Issues with GRE and IPSEC" document on cisco.com, but I'm still having some
trouble finding a systematic approach to setting MTU, and/or knowing when
the use of tcp adjust-mss is needed.
Based on the DMVPN best practices design guide, we have implemented the
following:
- IP MTU 1400
- Tunnel PMTUD
The above, however, doesn't seem to work in some cases. Users as these
sites complain of intermittent connectivity problems, which seem to be
solved rather quickly by reducing the IP MTU, and configuring TCP
adjust-mss. I do have concern as to why PTMUD isn't working as expected
(sending ICMP unreachables to the client to adjust their MTU accordingly),
and exactly what values to set both IP MTU to, as well as TCP adjust-mss,
assuming it's necessary.
Below are the templates/configs used for both the Headend / Remote Site
configs:
Headend #1:
!
crypto isakmp policy 1
encryption aes 128
authentication pre-share
group 5
crypto isakmp key pass123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile DMVPN
set transform-set DMVPN_TRANSFORM
!
interface Tunnel0
description DMVPN mGRE Tunnel
bandwidth 44210
ip address x.x.x.1 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 1800
ip nhrp server-only
ip ospf network point-to-multipoint
ip ospf hello-interval 5
load-interval 30
qos pre-classify
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
Headend #2
!
crypto isakmp policy 1
encryption aes 128
authentication pre-share
group 5
crypto isakmp key pass123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile DMVPN
set transform-set DMVPN_TRANSFORM
!
interface Tunnel0
description DMVPN mGRE Tunnel
bandwidth 44210
ip address x.x.x.33 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 1800
ip nhrp server-only
ip ospf network point-to-multipoint
ip ospf hello-interval 5
load-interval 30
qos pre-classify
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
Remote Site:
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key pass123 address x.x.x.x
crypto isakmp key pass123 address x.x.x.x
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile DMVPN
set transform-set DMVPN_TRANSFORM
!
interface Tunnel0
bandwidth 1536
ip address x.x.x.x 255.255.255.224
ip mtu 1400
ip nhrp map x.x.x.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 10
ip nhrp holdtime 1800
ip nhrp nhs x.x.x.1
ip ospf network point-to-point
ip ospf hello-interval 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
bandwidth 1536
ip address x.x.x.x 255.255.255.224
ip mtu 1400
ip nhrp map x.x.x.33 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 20
ip nhrp holdtime 1800
ip nhrp nhs x.x.x.33
ip ospf network point-to-point
ip ospf cost 1000
ip ospf hello-interval 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
Any advice would be appreciated.
--
Eric Cables
More information about the cisco-nsp
mailing list