Firewall Wizards mailing list archives

R: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall

From: "edp" <edp.lists () acerbis it>
Date: Fri, 12 Dec 2003 18:04:09 +0100

We have tried lots of things on the GRE tunnel configuration on our

Cisco

routers, including settings to ignore the Don't Fragment (DF) bit, and

to

force different MTU sizes.  A long-running Cisco TAC case has not

suggested

any way around our problem.


Seems also to me a path mtu discovery problem.
Maybe non-working webservers send packets bigger than your gre tunnel
mtu and - more important - with DF set in ip headers; when this packets
is processed by your router interface, your router cannot fragment the
packet keeping forwarding going on, because it honors the DF flag and so
it generates a icmp "require fragmentation" to the webserver in order to
force the webserver to produce smaller packets. But maybe this icmp got
lost in transit due to strict filters so the communication stalls.

Investigate your appliance feature, maybe you can patch in-transit
client TCP MSS in order to avoid fragmentation.

Regards,
.FT


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall marcel . cook (Dec 06)
- RE: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall Ben Nagy (Dec 11)
- R: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall edp (Dec 12)
- Re: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall Eric Vyncke (Dec 16)
  - R: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall edp (Dec 19)
- <Possible follow-ups>
- Re: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall rainer . ginsberg (Dec 10)