Firewall Wizards mailing list archives
R: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall
From: "edp" <edp.lists () acerbis it>
Date: Fri, 12 Dec 2003 18:04:09 +0100
We have tried lots of things on the GRE tunnel configuration on our
Cisco
routers, including settings to ignore the Don't Fragment (DF) bit, and
to
force different MTU sizes. A long-running Cisco TAC case has not
suggested
any way around our problem.
Seems also to me a path mtu discovery problem. Maybe non-working webservers send packets bigger than your gre tunnel mtu and - more important - with DF set in ip headers; when this packets is processed by your router interface, your router cannot fragment the packet keeping forwarding going on, because it honors the DF flag and so it generates a icmp "require fragmentation" to the webserver in order to force the webserver to produce smaller packets. But maybe this icmp got lost in transit due to strict filters so the communication stalls. Investigate your appliance feature, maybe you can patch in-transit client TCP MSS in order to avoid fragmentation. Regards, .FT _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall marcel . cook (Dec 06)
- RE: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall Ben Nagy (Dec 11)
- R: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall edp (Dec 12)
- Re: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall Eric Vyncke (Dec 16)
- <Possible follow-ups>
- Re: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall rainer . ginsberg (Dec 10)