[c-nsp] VPN - MTU Issue

Rodney Dunn rodunn at cisco.com
Tue Apr 11 15:16:02 EDT 2006


Looks to me like you had tcp adjust-mss on the wrong interface.

> interface Ethernet0
>  description Local Subnet
>  ip address 192.168.250.1 255.255.255.0  no ip redirects  no ip
> unreachables  no ip proxy-arp  ip accounting access-violations  ip nat

> inside  ip tcp adjust-mss 1412  no cdp enable  hold-queue 32 in
> hold-queue 100 out !
> interface Ethernet1
>  description Nexicom Turbo
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip accounting access-violations
>  ip tcp adjust-mss 1412 
>  pppoe enable
>  pppoe-client dial-pool-number 1
>  no cdp enable


you need it on the LAN interface or the tunnel to get the packet
before it's encapsulated.

Best to put it on the tunnel so you don't affect traffic going
out the internet bypassing the tunnel...if you do that.

On Tue, Apr 11, 2006 at 03:07:09PM -0400, Paul Stewart wrote:
> Oh crap! ;)
> 
> I was trying to set the interface MTU, not IP MTU.. Whoops.... I just
> added "ip mtu 1428" to each tunnel and we'll see how that works out....
> That should work I presume because I have "ip tcp adjust-mss 1412" on
> the ethernet interfaces already and that's lower than 1428?
> 
> All the best,
> 
> Paul
>  
> 
> -----Original Message-----
> From: Rodney Dunn [mailto:rodunn at cisco.com] 
> Sent: Tuesday, April 11, 2006 2:59 PM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VPN - MTU Issue
> 
> Paul,
> 
> The easiest way to do it is on all your tunnel interfaces configure ip
> adjust tcp adjust-mss for the tcp traffic.
> 
> For UDP you have to set the "ip mtu" down on the tunnel low enough to
> allow for all the encapsulation overhead that will come (gre, ipsec,
> pppox).
> 
> Try "ip mtu 1300" on the tunnel. I think that should be enough.
> 
> http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a
> 0080093f1f.shtml
> 
> You have tcp adjust-mss configured so if you are doing TCP make sure you
> set it down low enough too.
> 
> Rodney
> 
> 
> On Tue, Apr 11, 2006 at 02:12:32PM -0400, Paul Stewart wrote:
> > Hi there....
> > 
> > I don't do many VPN's but we recently setup three VPN's back to a 
> > central location (hub and spoke).  The hub location and one of the 
> > spokes works great as they are straight ethernet connectivity via
> fiber.
> > Two of the other locations are PPPOE based DSL service.  I'm trying to
> 
> > find out how and what to set the MTU to on these remote sites.... The 
> > network people are telling me that they want to use windows domain 
> > login etc. across the VPN link and it's working at one location and 
> > not the two others even through the tunnels are up and working....
> > 
> > I presume this is MTU related so did some extended ping tests and 
> > identified 1428 is the maximum packet size without fragmentation.. Is 
> > this the correct way to size the tunnel?  This is using GRE over
> IpSec.
> > 
> > When I try to set the size on the tunnel I get this:
> > 
> > xxxxxx(config-if)#mtu 1428
> > % Interface Tunnel0 does not support adjustable maximum datagram size
> > 
> > Below is the entire config of one of the spoke sites that doesn't 
> > work, what do I size where? ;)
> > 
> > Paul Stewart
> > IP Routing/Switching
> > Nexicom Inc.
> > http://www.nexicom.net/
> > 
> > 
> > Current configuration : 4304 bytes
> > !
> > ! Last configuration change at 14:07:03 EDT Tue Apr 11 2006 by admin !
> 
> > NVRAM config last updated at 13:26:01 EDT Tue Apr 11 2006 by admin !
> > version 12.3
> > no parser cache
> > no service pad
> > service tcp-keepalives-in
> > service tcp-keepalives-out
> > service timestamps debug datetime localtime service timestamps log 
> > datetime localtime service password-encryption !
> > hostname XXXXXX
> > !
> > boot-start-marker
> > boot system flash
> > boot system flash c806-k9osy6-mz.123-18.bin boot-end-marker !
> > no logging rate-limit
> > enable secret 5 XXXXXXXXXXXXXXXXXXX
> > !
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > no aaa new-model
> > ip subnet-zero
> > ip domain name nexicom.net
> > ip name-server 192.168.2.2
> > !
> > ip dhcp pool LAN
> >    network 192.168.250.0 255.255.255.0
> >    default-router 192.168.250.1
> >    dns-server 192.168.2.2
> >    netbios-name-server 192.168.2.3
> > !
> > no ip bootp server
> > ip cef
> > vpdn enable
> > !
> > vpdn-group 1
> >  request-dialin
> >   protocol pppoe
> > !
> > !
> > username admin password 7 XXXXXXXXXX
> > !
> > !
> > !
> > crypto isakmp policy 10
> >  encr aes 256
> >  authentication pre-share
> > crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX crypto isakmp key 
> > XXXXXXX address XXX.XXX.XXX.XXX crypto isakmp key XXXXXXX address 
> > XXX.XXX.XXX.XXX !
> > !
> > crypto ipsec transform-set ts1 ah-sha-hmac esp-aes 256 !
> > crypto ipsec profile VPN
> >  set transform-set ts1
> > !
> > !
> > !
> > !
> > interface Loopback0
> >  no ip address
> > !
> > interface Tunnel0
> >  description XXXXXXXXXXXXXXX
> >  ip address 172.16.1.6 255.255.255.252  tunnel source Dialer1  tunnel 
> > destination XXX.XXX.XXX.XXX  tunnel protection ipsec profile VPN !
> > interface Tunnel1
> >  description XXXXXXXXXXXXXXX
> >  ip address 172.16.1.10 255.255.255.252  tunnel source Dialer1  tunnel
> 
> > destination XXX.XXX.XXX.XXX  tunnel protection ipsec profile VPN !
> > interface Tunnel2
> >  description XXXXXXXXXXXXXXXX
> >  ip address 172.16.1.21 255.255.255.252  tunnel source Dialer1  tunnel
> 
> > destination XXX.XXX.XXX.XXX  tunnel protection ipsec profile VPN !
> > interface Ethernet0
> >  description Local Subnet
> >  ip address 192.168.250.1 255.255.255.0  no ip redirects  no ip 
> > unreachables  no ip proxy-arp  ip accounting access-violations  ip nat
> 
> > inside  ip tcp adjust-mss 1412  no cdp enable  hold-queue 32 in  
> > hold-queue 100 out !
> > interface Ethernet1
> >  description Nexicom Turbo
> >  no ip address
> >  no ip redirects
> >  no ip unreachables
> >  no ip proxy-arp
> >  ip accounting access-violations
> >  ip tcp adjust-mss 1412
> >  pppoe enable
> >  pppoe-client dial-pool-number 1
> >  no cdp enable
> > !
> > interface Dialer0
> >  no ip address
> >  no cdp enable
> > !
> > interface Dialer1
> >  ip address negotiated
> >  ip mtu 1452
> >  ip nat outside
> >  encapsulation ppp
> >  ip route-cache flow
> >  dialer pool 1
> >  dialer-group 1
> >  no cdp enable
> >  ppp authentication pap callin
> >  ppp pap sent-username XXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX  ppp 
> > ipcp dns request !
> > ip nat inside source list 105 interface Dialer1 overload ip classless 
> > ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.10.10.0 255.255.255.0 
> > Tunnel1 ip route 192.168.0.0 255.255.255.0 Tunnel2 ip route 
> > 192.168.2.0 255.255.255.0 Tunnel0 no ip http server no ip http 
> > secure-server !
> > !
> > ip access-list extended VPN
> >  permit ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255 logging trap 
> > debugging logging facility local6 logging source-interface Loopback0 
> > logging XXX.XXX.XXX.XXX access-list 1 permit XXX.XXX.XXX.XXX 
> > access-list 15 permit XXX.XXX.XXX.XXX log
> > access-list 105 deny   ip 192.168.250.0 0.0.0.255 192.168.2.0
> 0.0.0.255
> > access-list 105 permit ip 192.168.250.0 0.0.0.255 any dialer-list 1 
> > protocol ip permit no cdp run snmp-server community XXXXXXXXX RW 1 
> > snmp-server enable traps snmp authentication linkdown linkup coldstart
> 
> > warmstart snmp-server enable traps tty snmp-server enable traps pppoe 
> > !
> > line con 0
> >  exec-timeout 120 0
> >  transport output all
> >  stopbits 1
> > line vty 0 4
> >  access-class 15 in
> >  exec-timeout 120 0
> >  privilege level 15
> >  password 7 XXXXXXXXXXXXXXXX
> >  login local
> >  transport input ssh
> >  transport output all
> > !
> > scheduler max-task-time 5000
> > ntp clock-period 17168633
> > ntp peer 18.72.0.3
> > ntp peer 192.203.230.10
> > ntp peer 129.6.16.36
> > ntp peer 192.5.41.209 prefer
> > end
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list