[fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall

Date: 12/04/03

  • Next message: Adel Guia Cruz: "RE: [fw-wiz] How AAA in PIX Firewall ?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 4 Dec 2003 11:23:35 +0000

    We have been suffering an issue to do with Checkpoint, Cisco GRE tunnels
    and MTU size for a number of months now, and I thought it might be worth
    posting a description of our problem on this list in case someone is able
    to help. We feel that we have exhausted most avenues of trying to
    troubleshoot this issue.

    What we are trying to do is route Internet traffic for remote branch office
    sites via our central office's Internet connection. As an example, we have
    a 2Mb AT&T Internet connection in our Paris office, connected to a 15Mb
    AT&T Internet connection in London. We run a Cisco GRE tunnel between a
    3640-VPN/MP router in Paris and a 7206VXR/G1 router in London. In London,
    we also have a Nokia IP530 appliance running a fresh install of Check Point
    NG:AI, connected to a 10Mb PSINet Internet connection.

    The Cisco GRE tunnel has a MTU size of 1420 set at both ends for it's
    tunnel interfaces. This is the highest we can use based on the
    encryption/encapsulation chosen in order to facilitate protocols such as
    OSPF from working over the link. All other interfaces along the way
    (router ethernets and Nokia interfaces) are set the default 1500.

    The problem is that users in the Paris branch office are unable to view
    _some_ websites. Examples of ones that don't work are www.yahoo.fr and
    www.adp.fr. The majority work fine, including www.cisco.com and

    When running a tcpdump on the IP530 in London (on the external interface),
    during a session from Paris to one of the offending websites, the following
    is logged:

    16:36:21.025051 O > icmp: unreachable
    - need to frag (mtu 1420)
    16:36:27.586541 I > . 1:1461(1460) ack
    249 win 63992 (DF)
    16:36:27.588356 O > icmp: unreachable
    - need to frag (mtu 1420)
    16:36:40.711277 I > . 1:1461(1460) ack
    249 win 63992 (DF)
    16:36:40.713043 O > icmp: unreachable
    - need to frag (mtu 1420)

    We have also noticed that the packet size of traffic received from
    offending sites seems to be 1514 bytes. For sites that work, i.e.
    cisco.com, it seems to be 1486 bytes.

    We have tried lots of things on the GRE tunnel configuration on our Cisco
    routers, including settings to ignore the Don't Fragment (DF) bit, and to
    force different MTU sizes. A long-running Cisco TAC case has not suggested
    any way around our problem.

    Can anyone explain the cause of this problem, and suggest anything that can
    be done on our Nokia/Check Point configuration to prevent this occurring?
    Out of interest, when we route the Internet traffic past the Nokia IP530
    firewall and onto an Internet connection at another downstream site, which
    uses a Cisco PIX firewall instead, the remote Paris users ARE able to
    browse the offending websites successfully. This indicates that it must be
    something to do with the Nokia/Check Point installation.

    Any comments or suggestions would be greatly received.


    "NOTICE:  The information contained in this electronic mail transmission is
    intended by Convergys Corporation for the use of the named individual or
    entity to which it is directed and may contain information that is
    privileged or otherwise confidential.  If you have received this electronic
    mail transmission in error, please delete it from your system without
    copying or forwarding it, and notify the sender of the error by reply email
    or by telephone (collect), so that the sender's address records can be
    firewall-wizards mailing list

  • Next message: Adel Guia Cruz: "RE: [fw-wiz] How AAA in PIX Firewall ?"