[j-nsp] GRE Tunnel bet JUNIPER and CISCO

Derick Winkworth dwinkworth at att.net
Wed Nov 3 14:15:37 EDT 2010


Is this an encrypted GRE tunnel over the internet?

The "recommended" MTU is 1400 bytes on both ends. Use the 
clear-dont-fragment-bit knob on the juniper side, and do "ip tcp mss-adjust 
1360" on the Cisco side.  Also on the Cisco side, ingress interfaces should have 
a route-map applied to clear the df bit of the packets similar to the 
following:  


route-map clear-df-bit permit 10
set ip df 0

interface fa0/0
ip policy route-map clear-df-bit



Note that "crypto ipsec clear df" on the Cisco side does not work for traffic 
passing  through GRE tunnels, and you should not have this command enabled if 
you  are doing encrypted GRE tunnels.  Similarly on the Juniper side, under the  
ipsec-vpn rule you should not configure the clear-dont-fragment-bit  option (I 
forget the exact knob name, but its there).  The reason for this is that if you 
configure path-mtu-discovery these options will break it.

As noted below, you may have to lower the MTU or the tcp-adjust depending on the 
ciphers you are using.  


As much as possible, you want to avoid fragmenting and reassembling GRE or IPsec 
packets.  I would lower the MTU and tcp mss-adjust until you stop seeing GRE and 
IPSec fragmentation.

There are some odd bugs related to the clear-dont-fragment-bit option on the 
Juniper end.  If you are doing packet classification ingress on the router, all 
packets must be classified with a loss-priority of "low."  Otherwise packets 
will get blackholed if the next-hop is over the GRE tunnel.  I think this is 
fixed in 10.0S8, but not in 10.0R4.  Probably is fixed in 10.2R3, but I haven't 
tested.


  


________________________________
From: "Linder, Todd" <todd at onenet.net>
To: giulianocm at uol.com.br; juniper-nsp at puck.nether.net
Sent: Wed, November 3, 2010 9:15:02 AM
Subject: Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

I recently had and a similar issue between a Juniper and a Cisco router,
I resolved some of those symptoms by adjusting the tcp maximum segment
size. You may have to play with this setting until it yields the best
result. I use the "ip tcp adjust-mss 1300" and applied it to the
interfaces used. This size seemed to yeild the best results for my
scenario.


Todd Linder
Network Support Engineer
OneNet 
Oklahoma's Telecommunications Network


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Giuliano
Cardozo Medalha
Sent: Wednesday, November 03, 2010 8:04 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

People,

We are trying to close a GRE tunnel between juniper and Cisco routers
without success.

We have tried a lot of MTU configurations but the traffic is suffering a
lot ... sometimes slow, sometimes do not open some pages.

Have you ever configured something like this before ?

Any tip ou configuration related to best practices ?

Thanks a lot,

Giuliano
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list