The http service can not work normally after greVPN has been built caused by path MTU does not match.

Publication Date:  2012-09-21 Views:  392 Downloads:  0
Issue Description
PC1---VPN gateway1---VPN gateway2---PC2
In the above networking,a GRE tunnel has been built between VPN gateway1 and VPN gateway2,PC1 and PC2 visits through this tunnel.
After GRE tunnel has been built successfully,PC1 and PC2 can ping with each other,but PC2 can’t visit the web server provided by PC1.
Alarm Information
none
Handling Process
Setting MTU as 1500-4-20=1476(or less) at the VPN gateway outgoing interface.So that the VPN gateway1 will return the ICMP unreachable message as”MTU of next hop:1476”.
PC2 will send messages with 1476 as the largest MTU.When these messages arrive at VPN gateway1,after encapsulation GRE and outer IP header,the length won’t be more than 1500 so that the transport can succeed.But,we just solve the problem about downloading,if PC2 need to upload big documents to PC1,we also should set the VPN gateway2’s outgoing interface MTU as less than 1476.Of cause,we also can change the outgoing interface TCP MSS numerical of VPN gateway1,change it into 1500-4-20-20(TCP header)=1456 bytes.Via this way TCP applications like HTTP also can be guaranteed.
Root Cause
In the above networking,a GRE tunnel has been built between VPN gateway1 and VPN gateway2,PC1 and PC2 visits through this tunnel.
At this time will find,when PC1 is pinging 1448 message, the packets captured from PC2 shows that they haven’t been fragmented.but when PC1 ping 1449 message,the packets have been fragmented.The length of the IP messages from PC1 is 1448+8(ICMP message header length)+20(IP message header length),arrive at the VPN gateway1,and they will be sent to GRE tunnel port,encapsulation gre header(4 bytes),coupled with the outer layer IP header,and then get to the outer layer of the ethernet interface of VPN gateway.Then the IP message length will change into such one:1448+8+20+4+20=1500 bytes,exactly equal to the ethernet port MTU,so these messages can be transport successfully.But when it pings 1449,the messages’ length becomes 1501 bytes after they get to outer layer erthernet port,the MTU is over 1500,the DF bit of the message is 1,which means it can be fragmented.Then the VPN gateway sends the message after it has been fragmented.
Due to the application is ping,the message can be fragmented,so interworking is no problem.
But PC2 need to use the web server provided by PC1.
After establishing an HTTP connection between PC1 and PC2,PC2 hopes to download a large site.PC2 starts sending,the DF bit of IP is 1,slicing is not allowed,IP message length is 1500 bytes.When arriving at the outer layer erthernet port of VPN gateway1,VPN gateway1 finds the messages’ length is over 1500 bytes,so the messages are discarded,then PC1 will get a ICMP message says that the destination is unreachable.The error code is”Fragmentation needed”.It means the fragmentation is needed,but it’s not allowed,at the same time, a message shows “MTU of next hop:1500” will be sent.After PC1 get the message,it sends messages according with the 1500 bytes,and these messages will be discarded again,so it formed a loop,unable to communicate.
Suggestions
Not only gre,all kinds of other VPN will encapsulate packet header before the original message.We need to reasonable adjust MTU value configuration according to the actual situation.Then we can ensure the normal VPN business.

END