×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

GRE tunnel through an IPSec site-to-site tunnel出现的问题

最近遇到一个棘手的问题,查了两天没有结果,想请教一下做过网络支持的。

我们有个ipsec site-to-site tunnel的WAN CONNECTION,两端分别是一个cisco的asa。在这两个office里的内部网络里,又用两个cisco router(7100和2600)build了个GRE tunnel来连接两个Vlan,build完后,从一端测试时,icmp和udp的packet都正常,就是tcp有问题。

用wireshark看时,发现从对端返回的packet有TCP ACKed lost segment error,然后follow的另一个packet有broken tcp. the acknowledge field is nonzero的错误。象是tcp hand shake出现问题,会是什么问题?mtu/mss size问题?asymetric routing?
Report

Replies, comments and Discussions:

  • 工作学习 / 学科技术讨论 / GRE tunnel through an IPSec site-to-site tunnel出现的问题
    最近遇到一个棘手的问题,查了两天没有结果,想请教一下做过网络支持的。

    我们有个ipsec site-to-site tunnel的WAN CONNECTION,两端分别是一个cisco的asa。在这两个office里的内部网络里,又用两个cisco router(7100和2600)build了个GRE tunnel来连接两个Vlan,build完后,从一端测试时,icmp和udp的packet都正常,就是tcp有问题。

    用wireshark看时,发现从对端返回的packet有TCP ACKed lost segment error,然后follow的另一个packet有broken tcp. the acknowledge field is nonzero的错误。象是tcp hand shake出现问题,会是什么问题?mtu/mss size问题?asymetric routing?
    • try to change the tunnel interface MTU to 1400...
      • tried adjusting MTU on one tunnel interface, it didn't work. Can't change the other Tunnel interface on the other end due to the old IOS version. Will upgrade the IOS later and give another try.
    • At asa: sysopt connection tcpmss 1468 (if GRE overhead = 4, no encr) or 1440 to be safe.
      • Based on cisco, practically, you may need set tcpmss to 1300
        • Thanks. Do I need to apply this new mss value on both side ASA? or just one side is ok.