L2TP vpdn multihop MTU problem
Hello,
I have problem with MTU via L2TP multihop. Has anyone information what is sequence of operation, when tunnel switching is provided ?
(when packet is switched into second tunnel, is compared with MTU before or after L2TP encapsulation) ?
Thanks a lot,
Vladimir
this document might answer your question,
http://www.cisco.com/en/US/tech/tk827/tk369/tech_brief09186a00800a43e9.html
Similar Messages
-
Is it MPLS mtu problem ?
Our compny is serviceing Mpls between HQ and Branch. PE<->PE is running EBGP through ppp multilink and PE<->CE is running OSPF.The PE router is a cisco 3845.When I configure, it is working well. In case CE<->CE, I can a ping each other, but I can not access web-server from Branch 2day later. I thought it is MTU problem,So that is way I have changed PE<->PE mtu size as 1526 and CE<->CE 1436. It was working well web-server,FTP at time. What am I asking you, I can access some kind of file.
Do I have to re-adjust Mtu size ? If do I have to do, which position do I have to do it ? Let me know. I am in serious.Hi,
You might have a MTU issue, but maybe not in the MPLS environment.
Usually hosts are connected to the network through ethernet and have a MTU of 1500 Bytes. Thus your CE setting of 1436 Bytes might create your observed problem. The CE router might have to discard packets above 1436 with DF bit set.
MPLS adds 2 labels, i.e. 8 Bytes. With your settings this should create no problem (1436+8=1444 < 1526).
The general recommendadtion thus is: CE <-> CE should be 1500 Byte and inside the MPLS network you should adjust MTU to allow this.
Example:
CE:
interface Serial0
description to PE Serial1/0
mtu 1500
PE:
interface Serial1/0
description to CE Serial0
mtu 1500
interface Serial1/1
description to MPLS cloud
mtu 1526
mpls ip
To localize your problem I would use an extended ping with df bit set and varying sizes. You should get 1436 Bytes with your current settings. Increase this to 1500 Bytes MTU and test again. Finally you should be able to rule out network related issues - there might still be application related issues like file access restrictions on the server.
Hope this helps! Please use the rating system.
Regards, Martin -
ASR 9000 4.2.1 l2tp vpdn config migration
Hi,
I had a Cisco 7206VXR G2. I used to use vpn l2tp on the router. 7206 config are below:
vpdn-group pppoe_customer
description ***** redback *****
accept-dialin
protocol l2tp
virtual-template 10
terminate-from hostname 192.168.96.149
source-ip 192.168.96.4
local name 192.168.96.4
lcp renegotiation always
l2tp tunnel password 0 ericsson
l2tp tunnel timeout setup 3600
ip mtu adjust
How to migrate or apply on ASR 9000 this config?Hi,
since there are different approaches and options to consider due to the nature of the ASR9K and IOS XR, I suggest you read this documentation and decide how to do the config based on your knowledge of the network you have.
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/bng/configuration/guide/b_bng_cg42asr9k.pdf
plz Rate if it helped,
Soroush. -
RADIUS config for VRF-aware VPDN multihop tunnel
Hi,
Can't find the LNS config directives those will lead to get complete(!) vpdn profile from radius.
The configuration is:
LAC-LNS/PE-LNS/CE
LNS/PE - provider edge lns that we want to configure using radius profile for vrf-aware multihop vpdn so that incoming tunnel is switched out to LNS/CE in one of the vrfs configured on LNS/PE.
The "vpdn tunnel authorization " command lets me get the profile for ingress session coming from LAC, but in order to switch the tunnel further to LNS/CE i have to config vpdn-group on LNS/PE. Is it possible to make a RADIUS profile that LNS/PE will use for both ingress and egress tunnels?Hello Alex,
I would like to point you to this forun into another section. There is currently a "Ask The Expert" about MPLS VPNs at http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dda563c
Maybe it will be more suitable to address your questions there.
Hope this Helps!
Regards, Martin -
Hey Guys,
We currently have several remote sites that connect back to our core (7206vxr) via p2p t1's. One Site connects back to us via MetroE. All Sites are setup under 1 vrf. The sites that have t1's can ping each other with no problem even bumping the datagram size up to over 1000. The problem I'm running into is with the MetroE site. If I try and ping it or ping from the site and bump the datagram size up to 250 or higher the success rate goes down to about 30%. This in turn seems to be causing some issues with our clients. Any advice on this would be great. The setup is all the interfaces that connect to the remote sites are in the same vrf. We then run EIGRP and route the subnets needed and everything works great besides a few applications that seem to be related to something with the MetroE,MPLS, and MTU size, I just not sure where to start.
Thanks in AdvanceOk I tried this 3 times and upped the DG size by 100 each time. At 300 I started getting packet loss. The thing I don't understand is when setting the "Set DF bit in IP header" to yes I don't notice any differnce than when it's set to No.
TX-OPT-RTR#ping
Protocol [ip]:
Target IP address: 192.168.0.254
Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.0.254, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 100 percent (10/10), round-trip min/avg/max = 32/32/32 ms
TX-OPT-RTR#ping
Protocol [ip]:
Target IP address: 192.168.0.254
Repeat count [5]: 10
Datagram size [100]: 200
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 200-byte ICMP Echos to 192.168.0.254, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 100 percent (10/10), round-trip min/avg/max = 32/32/36 ms
TX-OPT-RTR#ping
Protocol [ip]:
Target IP address: 192.168.0.254
Repeat count [5]: 10
Datagram size [100]: 300
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 300-byte ICMP Echos to 192.168.0.254, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 70 percent (7/10), round-trip min/avg/max = 32/33/36 ms -
I have discovered that one of my routers, a 7206VXR with a PA-FE-FX "does not support user settable mtu". This seems to be causing a problem with some customers with firewalls (Path MTU Discovery isn't working on them...).
I have turned up the MTU to 1526 on all interfaces and turned the MPLS MTU setting down, but I cannot make these problems go away. Are there any workarounds for this? Are there any means at all for forcibly fragmenting packets?
As I said the router in question is a 7206VXR, NPE-300 and the interface is a PA-FE-FX, it is running IOS 12.2(10b).What I ended up doing was: connect a 7500 to a 7200 both with PA-FE-TX, and it worked. Then I plugged in a 2900XL switch in between them. This did not work. I set mtu on the two ports on the switch. I then (after tearing hair, jumping up and down, etc) rebooted the switch. The switch came back up in with the interfaces already configured for MTU 2018. This finally worked. 12.0(5.2)XU is the version that all the switches in question were running.
The other problem that I realized was that the path that was working was actually going through a 3550, not a 2900XL.
So I reloaded the switches in question that evening, and low and behold, everything was peachy, 1500 byte packets worked again. I can't really guess why this is the case, but reload + coming up configured with MTU works, configuring the MTU to be larger while running doesn't. I should also mention that these ports are actually WS-X2922-XL-V and WS-X2924-XL-V modules, not the regular ports... I know, I know.
I've heard stranger things and I'm happy to get so rest now and play with the new features MPLS provides. You guys were very helpful, particularly hritter, in pointing me toward the switches, otherwise I would have probably replaced the PA-FE with a gigabit card. -
Hi
Eudora is telling me that I have to adjust my mtu settings as my attachments are not being sent. This after months of working fine with no problems. Safari is also slow today. Any thoughts on downloading an IP net tuner to maximize performance?
Why would this problem occur after months of trouble free attachment sending?
I'm on a local network, 5 computers total, bt1800hg router, fast broadband connection.
Is this just a BAD day?
Thanks
G4,1 ghz dual.1gb ram Mac OS X (10.3.9)Hi--
Is there a similar setting for the Aiport? I can't
find it. I have been told to adjust MTU to 1492 in
order to be able use secure internet (https) in my
office.
This page has instructions. The changes are lost when you restart your computer, so you'll have to run that command each time you reboot.
What I'd suggest is that you try it from the Terminal app. If it works, post to the Unix discussion and ask for help in setting up a way to set it when you restart your computer.
charlie -
Samba with Jumb MTU Problem?
I have a Suse 10 Linux file server running Samba. My iMac Core Duo is connected to the Suse server via a Gigabit network. The switch, Linux box, and iMac all specify that they support MTU of 9000.
However, I can not get the iMac to connect to the Samba server on the Linux box, if the iMac's MTU is set to 9000. (Even when the Linux box also has an MTU of 9000.)So, upon further investigation, it's actually a switch problem.
I have a Netgear GS605. Netgear, ever so 'delightfully', has two hard to discern, not overtly obvious, revs of this gigabit switch. One of them handles Jumbo Frames and QoS. The older one doesn't. When you go to their site to comparison shop, the product page does't even note this. You must dig through their knowledgebase errata. They don't even bother to note on the box if the unit is a version 1 or version 2. You need to know a specific serial number prefix. Pretty lame if you ask me.
They must be taking a page from Apple on rev 1 hardware. -
Xbox MTU problems!!!
waaaa!!! my xbox wont work!!! its asking me for my mtu settings!!! it was working fine earlier... whats wrong???
♥ Registered TradeMark Since 1987 ♥Johnaldinho wrote:
Hiya, I came here for exactly the same question. My MTU is set at 1500 so thats ok, Xbox Live suggest above 1364
All the Xbox live sites are down, as are the forums. www.xbox.com & www.xbox.com/live are both snafu
Appears Live has had a big failure of some sort....so will back back no doubt soon enough with no more issues all being well.
Dont mess with your settings or anything until Live comes back up online
Hope this helps
Very good advice.... -
L2TP and fixed Framed IP Address for VPN user
Hi,
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
I hope someone can help me.
It´s a Cisco 892 Integrated Service Router.
Router Config:
=============================================================
Current configuration : 8239 bytes
! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname vpngw2
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
logging buffered 51200 warnings
enable secret 5 secret
aaa new-model
aaa authentication login default local group radius
aaa authentication login userauthen local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default
action-type start-stop
group radius
aaa accounting network default
action-type start-stop
group radius
aaa accounting resource default
action-type start-stop
group radius
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain name aspect-online.de
ip name-server 10.28.1.31
ip inspect WAAS flush-timeout 10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
virtual-profile if-needed
multilink bundle-name authenticated
async-bootp dns-server 10.28.1.31
async-bootp nbns-server 10.28.1.31
vpdn enable
vpdn authen-before-forward
vpdn authorize directed-request
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
license udi pid -K9 sn FCZ
username root password 7 secret
ip ssh source-interface FastEthernet8
ip ssh version 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key mykey address 0.0.0.0 no-xauth
crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
mode transport
crypto dynamic-map config-map-l2tp 10
set nat demux
set transform-set configl2tp
crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
<snip>
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
ip address 10.28.1.97 255.255.255.0
ip access-group vpn_to_lan out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered GigabitEthernet0
ip access-group vpn_to_inet_lan in
ip nat inside
ip virtual-reassembly in
peer default ip address pool l2tpvpnpool
ppp encrypt mppe 128
ppp authentication chap
interface GigabitEthernet0
description WAN Port
ip address x.x.x.39 255.255.255.0
ip access-group from_inet in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnl2tp
interface Vlan1
no ip address
shutdown
ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
ip local pool remotepool 192.168.252.240 192.168.252.243
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat log translations syslog
ip nat inside source route-map natmap interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip access-list extended from_inet
<snip>
ip access-list extended nat_clients
permit ip 192.168.252.0 0.0.0.255 any
ip access-list extended vpn_to_inet_lan
<snip>
ip access-list extended vpn_to_lan
<snip>
deny ip any any log-input
logging trap debugging
logging facility local2
logging 10.28.1.42
no cdp run
route-map natmap permit 10
match ip address nat_clients
radius-server attribute 8 include-in-access-req
radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
radius-server key 7 mykey
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
mgcp profile default
banner login ^C
Hostname: vpngw2
Model: Cisco 892 Integrated Service Router
Description: L2TP/IPsec VPN Gateway with Radius Auth
^C
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
=============================================================
User Config in Radius (tying multiple attributes):
=============================================================
Attribute | op | Value
Service-Type | = | Framed-User
Cisco-AVPair | = | vpdn:ip-addresses=192.168.252.220
Framed-IP-Address | := | 192.168.252.221
Cisco-AVPair | = | ip:addr-pool=remotepool
=============================================================
Debug Log from freeradius2:
=============================================================
rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
Framed-Protocol = PPP
User-Name = "me1"
CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'me1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'me1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'me1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "me1" with CHAP password
[chap] Using clear text password "test" for user me1 authentication.
[chap] chap user me1 authenticated succesfully
++[chap] returns ok
Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 10.28.1.97 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Address := 192.168.252.221
Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
Service-Type = Framed-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
User-Name = "me1"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:07 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
Finished request 1.
Cleaning up request 1 ID 19 with timestamp +53
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
User-Name = "me1"
Acct-Authentic = RADIUS
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=100000000"
Cisco-AVPair = "nas-rx-speed=100000000"
Acct-Session-Time = 5
Acct-Input-Octets = 5980
Acct-Output-Octets = 120
Acct-Input-Packets = 47
Acct-Output-Packets = 11
Acct-Terminate-Cause = User-Request
Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
Acct-Status-Type = Stop
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:12 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} -> 5980
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} -> 120
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2012-03-30 11:20:12', acctsessiontime = '5', acctinputoctets = '0' << 32 | '5980', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
Finished request 2.
Cleaning up request 2 ID 20 with timestamp +58
Going to the next request
Waking up in 0.1 seconds.
Cleaning up request 0 ID 7 with timestamp +53
Ready to process requests.
=============================================================
Log From Cisco Router:
=============================================================
Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS: authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS: CHAP-Password [3] 19 *
Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS: authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS: Framed-IP-Address [8] 6 192.168.252.221
Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS: Vendor, Cisco [26] 41
Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS: Cisco AVpair [1] 35 "vpdn:ip-addresses=192.168.252.220"
Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS: authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:07 vpngw2 1258: L2TP [3]
Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS: Acct-Status-Type [40] 6 Start [1]
Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS: authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS: authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:12 vpngw2 1292: L2TP [3]
Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 59
Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 53 "ppp-disconnect-cause=Received LCP TERMREQ from peer"
Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-tx-speed=100000000"
Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-rx-speed=100000000"
Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS: Acct-Session-Time [46] 6 5
Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS: Acct-Input-Octets [42] 6 5980
Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS: Acct-Output-Octets [43] 6 120
Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS: Acct-Input-Packets [47] 6 47
Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS: Acct-Output-Packets [48] 6 11
Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]
Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 39
Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP Receive Term"
Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS: Acct-Status-Type [40] 6 Stop [2]
Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS: authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
=============================================================I found the failure.
In the cisco config it must be
aaa authorization network default group radius local
not
aaa authorization network groupauthor local -
Mail attachment problem with IP TUNNELING
Hi
We are an Isp and we have two links separatly from two different service provider, one is for Send traffic and another one for recive traffic, we use simple Gre tunnle and configure it in our router ,the tunnel is active and everything seems works fine ,but when users want to use mail attachment like yahoo mail attachment they have problem : yahoo ask them to attach files they can browse and choose files after that when they want to finish ,the yahoo attachment page process opened and never finish it s job !!!!!!!
please help.
Thanks.
Reards Bahman mozaffariHi,
this sounds like you are having MTU problems due to the GRE overhead. You can try to fix this with the command
ip tcp adjust-mss ! f.e. 1400
on the tunnel interfaces. The riouter will intercept TCP MSS negotiation and allow only TCP segments small enough to fit through the tunnel.
Hope this helps! Please rate all posts.
Regards, Martin -
I am replacing a 2611 with a 2811, I am copying the setups from the old router, I have a question about the following.. on the old router there was no line in my config for l2tp - I do not seem to be able to find any configuration options for it - I don't nec want to get rid of it but want to mainly know how to config it and if the same options apply for pptp? I think I have gone into all of the listed options and put in "?" is l2tp missing from the help?
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
l2tp tunnel password 7Which IOS version are you using? , if you are using lower version, need to upgrade to version 12.4(6)
Sample VPN group configuration:
vpdn-group 2
! Default L2TP VPDN group
description L2TP for Dial
accept-dialin
protocol l2tp
virtual-template 2
l2tp tunnel password xxxxx -
Anybody know the default mtu setting on a gre tunnel interface such as this?:
interface Tunnel1
description "xxx"
ip address x.x.x.x 255.255.255.252
tunnel source Loopback1
tunnel destination x.x.x.x
I'm asking cause on the core redundant to this one where I've copied code from, the config line 'ip mtu 1500' is configured. I want to make sure these are matched up.
Thanks in advance.
/rlsRobert,
Sorry, I spoke too soon. I should have focused on your question, which is "IP MTU" and referred you to the command "show ip interface Tu0" instead of "show interface tu0".
GRE packets are formed by the addition of the original packets and the required GRE
headers. These headers are 24-bytes in length and since these headers are added to the
original frame, depending on the original size of the packet we may run into IP MTU
problems.
Even though the maximum IP datagram has been defined as 64K, most links enforce a smaller
maximum size for the packets. This maximum size is known as MTU (Maximum Transmission
Unit) and as you also know, different types of media have different MTU sizes they can
accommodate and transport. The most common IP MTU is 1500-bytes in length (Ethernet).
The IP implementation, as we know it, provides a mechanism to allow routers the
fragmentation and transmission of packets larger if there are differences in the MTU and a
packet is larger than what the outgoing media will support. Once a packet has been
fragmented to be sent over a media that will not support the original packet size, the end
station is responsible for the reassembly of the different fragments the original packet
was broken into.
GRE tunnels normally calculate their IP MTU size based on the physical link they will use
as the outgoing interface.
What you see in âshow interface Gig Xâ is the MTU of the interface and NOT the IP MTU.
In order for you to see the IP MTU you need to use the âshow ip interface Gig Xâ
When the tunnel is created, it deducts the 24-bytes it needs to encapsulate the passenger
protocols and that is the IP MTU it will use.
For example, if we are forming a tunnel over FastEthernet (IP MTU 1500) the IOS calculates
the IP MTU on the tunnel as:
1500-bytes from Ethernet - 24-bytes for the GRE encapsulation = 1476-Bytes
Let me explain this with a simple set up:
Lets say I configure a Tunnel interface and sourcing it via a physical interface which has an MTU of 1500, then the Tunnel
interface will have IP MTU of 1476, leaving space for the 24 byte GRE Header.
In my case, I am sourcing the packets from Gig0/0 which has physical interface of MTU 1500, so when I do a "show ip int Tu0",
You will see that the IP MTU is 1476.
Router#sh run int gi0/0
Building configuration...
Current configuration : 118 bytes
interface GigabitEthernet0/0
ip address 10.89.245.253 255.255.255.0
duplex auto
speed auto
media-type rj45
end
Router#sh run int tu0
Building configuration...
Current configuration : 127 bytes
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 10.89.245.1
end
Router#sh int gi 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.89.245.253/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
Router#sh ip int tu 0
Tunnel0 is up, line protocol is up
Internet address is 1.1.1.1/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1476 bytes
Now, lets say I lower the IP MTU value on Gi0/0 to 1400, What should be the default new value on the tunnel interface?? You
are absolutely right, 1376 :-)
Router#sh run int gi0/0
Building configuration...
Current configuration : 131 bytes
interface GigabitEthernet0/0
ip address 10.89.245.253 255.255.255.0
ip mtu 1400
duplex auto
speed auto
media-type rj45
end
Router#sh ip int tu0
Tunnel0 is up, line protocol is up
Internet address is 1.1.1.1/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1376 bytes
Please standby.... More to follow in the second post due to character limitation
Regards,
Arul
** Please rate all helpful posts ** -
Can some one please explain the two different behaviour of MTU as per below output :
In the first output why we dont see the packet loss although the packet size is bigger than the MTU size.
where as in the output 2 we notice the packet loss where as the packet size it 1481 and MTU size is 1480.
=== OutPut 1 ===
ROU#sh int t3
Tunnel3 is up, line protocol is up
Hardware is Tunnel
Description: ***Connect to Ro_03 Tunnel1 Fe0/0/0***
Internet address is 21.233.41.21/30
MTU 17920 bytes, BW 4096 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 21.233.7.22 (GigabitEthernet0/0/4), destination
21.233.41.246
Tunnel Subblocks:
src-track:
Tunnel3 source tracking subblock associated with
GigabitEthernet0/0/4
Set of tunnels with source GigabitEthernet0/0/4, 10 members (includes iterators), on interface <OK>
Tunnel protocol/transport IP/IP
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1480 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 12000 bits/sec, 1 packets/sec
5 minute output rate 13000 bits/sec, 1 packets/sec
16274329 packets input, 3173533969 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
18686934 packets output, 8984626725 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ITC#ping
Protocol [ip]:
Target IP address: 21.233.41.22
Repeat count [5]: 1000
Datagram size [100]: 2048
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 2048-byte ICMP Echos to 21.233.41.22, timeout is 2 seconds:
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 33/33/76 ms
=== OutPut 2==
ROU#ping
Protocol [ip]:
Target IP address: 21.233.179.241
Repeat count [5]: 1000
Datagram size [100]: 1481
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 1481-byte ICMP Echos to 21.233.179.241, timeout is 2 seconds:
Success rate is 98 percent (984/1000), round-trip min/avg/max = 69/70/175 ms
===
Best Regards,Hi,
I think you should move this post to the appropriate section because I don't see any relationship with IPv6 here.
Hi if you had an MTU problem all your packets should be dropped and you would have to set the DF-bit in the extended ping to test because by default if the DF bit is not set the routers will fragment the packets.
Regards.
Alain. -
Asha 503: problem regarding Wifi
Hi,
When I connected my handset with wifi & wanna browse through Nokia express browser or Nokia store it showed 'Connecting Secure Connection' & busy symbol but nothing happened & no data transfer happened as I can see through my wifi router. Data transfer started only when I tried to browse any page through Opera Mini.
But when I connected my hansdet through 3G all running like butter.
What is wrong with me? It is my handset or Asha OS? I am bit confuse.Is there any way to solve my problem?Abi99 wrote:
Please, just confirm my assumptions. Otherwise I might go the wrong direction.
GSM and 3G/UMTS: Nokia Store, Nokia Xpress, and Opera Mini work
Wi-Fi: only Opera Mini works
Yes. Your understanding regarding this absolutely correct.
Abi99 wrote:
MTU problems can affect single device combinations. It is near to impossible to rule that out with another mobile phone. You use your computer as Wi-Fi access-point. Correct?
Yes friend I am using my computer as Wfi access point.
Abi99 wrote:
Which Wi-Fi hotspot software do you use and which Windows is that (XP, 7, 8, Proessional, Ultimate, …)? If you are using your computer, you could use a tool like Wireshark to monitor the network traffic.
My Windows is Win7(64bit, Home Premium).
For Wifi-hotspot I don't using any application software yet.What I found that Win7 has in build capability to become Wifi-hotspot. Remember that it isn't Ad-hoc network.
Maybe you are looking for
-
Cannot download apps at this time
Hi I have noticed that recently when I either download an app or update a certain app I get a pop up on the screen that says: Unable to purchase "Amazon mobile"and 5 other items Could not be purchased at this time Please try again later. Now it's bee
-
Drive Size Limit-Older G4 Desktop
This is my older mac G4: http://www.macupgrades.co.uk/store/machine.php?name=powermac-g4-digital-audio What is the largest size ATA100 drive that is safe to put into an older G4 desktop (g4 450 - not yosemite)? - I believe it has something to do with
-
No records in main.active table?
I just updated my Muse, made a few changes to my site and saved. While saving, Muse crashed. Now when I try opening the site I receive the message "This Adobe Muse site file cannot be opened. no records in main.active table"? I freaking out here a li
-
How can I unlock the sim tray it's stucked:(
Plzzzz some body tell me
-
Scale a layer so it matches the image size. (Automate)
I need to scale a layer so it matches the image size. The problem is that i need to automate this procedure and apply on a range of images all with different resolutions. (This is why i can't use CTRL+T and just drag the corners of the layer so it fi