RE: MTU issue routing traffic via Cisco GRE tunnel to No kia/Check Point firewall

["Behm, Jeffrey L." <BehmJL () bvsg com>]

Was researching a similar problem just this past Friday...maybe it applies
in your case, too...I won't even attempt to summarize for them, but it has
to do with the "Need to fragment, but DF set" ICMP message being blocked
somewhere along the way.

Since the post is from Cisco it might not be your problem, but...
HTH,
Jeff

http://www.cisco.com/warp/public/105/56.html
<part of this page posted here...>

Why Can't I Browse the Internet when Using a GRE Tunnel?
Introduction 
Sometimes when traffic goes through a generic routing encapsulation (GRE)
tunnel, you can successfully use Ping and Telnet, but you can't download
Internet pages or transfer files using FTP. This Tech Note explains a common
reason for this problem, and offers several workarounds.
 



-----Original Message-----
From: marcel.cook () convergys com
To: firewall-wizards () honor icsalabs com
Sent: 12/4/2003 5:23 AM
Subject: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to
Nokia/Check Point firewall

We have been suffering an issue to do with Checkpoint, Cisco GRE tunnels
and MTU size for a number of months now, and I thought it might be worth
posting a description of our problem on this list in case someone is
able
to help.  We feel that we have exhausted most avenues of trying to
troubleshoot this issue.

<snip>

The problem is that users in the Paris branch office are unable to view
_some_ websites.  Examples of ones that don't work are www.yahoo.fr and
www.adp.fr.  The majority work fine, including www.cisco.com and
www.google.com.

<snip>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards