Is this an encrypted GRE tunnel over the internet?

The "recommended" MTU is 1400 bytes on both ends. Use the
clear-dont-fragment-bit knob on the juniper side, and do "ip tcp mss-adjust
1360" on the Cisco side. Also on the Cisco side, ingress interfaces should have
a route-map applied to clear the df bit of the packets similar to the
following:


route-map clear-df-bit permit 10
set ip df 0

interface fa0/0
ip policy route-map clear-df-bit



Note that "crypto ipsec clear df" on the Cisco side does not work for traffic
passing through GRE tunnels, and you should not have this command enabled if
you are doing encrypted GRE tunnels. Similarly on the Juniper side, under the
ipsec-vpn rule you should not configure the clear-dont-fragment-bit option (I
forget the exact knob name, but its there). The reason for this is that if you
configure path-mtu-discovery these options will break it.

As noted below, you may have to lower the MTU or the tcp-adjust depending on the
ciphers you are using.


As much as possible, you want to avoid fragmenting and reassembling GRE or IPsec
packets. I would lower the MTU and tcp mss-adjust until you stop seeing GRE and
IPSec fragmentation.

There are some odd bugs related to the clear-dont-fragment-bit option on the
Juniper end. If you are doing packet classification ingress on the router, all
packets must be classified with a loss-priority of "low." Otherwise packets
will get blackholed if the next-hop is over the GRE tunnel. I think this is
fixed in 10.0S8, but not in 10.0R4. Probably is fixed in 10.2R3, but I haven't
tested.





________________________________
From: "Linder, Todd" <todd at onenet.net>
To: giulianocm at uol.com.br; juniper-nsp at puck.nether.net
Sent: Wed, November 3, 2010 9:15:02 AM
Subject: Re: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

I recently had and a similar issue between a Juniper and a Cisco router,
I resolved some of those symptoms by adjusting the tcp maximum segment
size. You may have to play with this setting until it yields the best
result. I use the "ip tcp adjust-mss 1300" and applied it to the
interfaces used. This size seemed to yeild the best results for my
scenario.


Todd Linder
Network Support Engineer
OneNet
Oklahoma's Telecommunications Network


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Giuliano
Cardozo Medalha
Sent: Wednesday, November 03, 2010 8:04 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] GRE Tunnel bet JUNIPER and CISCO

People,

We are trying to close a GRE tunnel between juniper and Cisco routers
without success.

We have tried a lot of MTU configurations but the traffic is suffering a
lot ... sometimes slow, sometimes do not open some pages.

Have you ever configured something like this before ?

Any tip ou configuration related to best practices ?

Thanks a lot,

Giuliano
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp