[nsp] checkpoint & gre tunnel
Streiner, Justin
streiner at stargate.net
Tue Aug 5 09:33:25 EDT 2003
On Tue, 5 Aug 2003, Ali Kemal Yurtseven wrote:
> Hi,
>
> I have a problem with vpn over gre tunnel. Topology is given
> below:
>
> Checkpoint-> Router ------- GRE TUNNEL ------- Router ->
> Checkpoint
>
> VPN is configured between the firewalls. Ping tests are fine,
> but when a user tries to open a web page , problem occurs. Has anybody
> experienced a problem like this ?
Sounds like an MTU/fragmentation issue. I ran into this with a product I
was testing recently. I was able to fix it by using the "ip tcp
adjust-mss" interface command on the client-side router, like this:
interface Serial0/0
description T1 to ISP POP
ip address 172.16.10.10 255.255.255.252
...
interface Tunnel0
description GRE Tunnel to ISP FW appliance
ip address 10.100.50.202 255.255.255.252
ip mtu 1476
ip route-cache flow
no ip split-horizon
ip tcp adjust-mss 1436
keepalive 10 2
tunnel source Ethernet0/0
tunnel destination 192.168.1.3
...
ip route 192.168.1.3 255.255.255.255 172.16.10.9
I tried other methods of resolving the issue like writing a route-map to
forcibly clear the DF bit on outgoing packets on both sides, with mixed
results. Adjusting the TCP maximum segment size (MSS) has been problem
free for me for several months.
Note that the "ip tcp adjust-mss" and "keepalive" commands require fairly
new IOS builds to work, like later 12.2S and 12.2T releases.
jms
More information about the cisco-nsp
mailing list