This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GRE tunnel issue with packet size

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GRE tunnel issue with packet size

Lukasz_1
L0 Member

‎08-30-2024 11:23 AM

Hello,

I am migrating old ASA to Palo Alto PA-440, one of the things i am trying to migrate is IPsec tunnel, that Ipsec tunnel carries only two remote hosts which are sources and destination for GRE endpoint on Cisco Switches. When i try to migrated it users complained about the unable to ssh to end hosts, when we tried to ping with the -df bit set and mtu set to 1368 it was working, but if we try to traceroute from end host to end hosts packets were not making over. My topology looks like the following:

Cisco_SWITCH(BGP, with GRE Tunnel) <---> PaloAlto PA-440 (IPsec tunnel, interesting traffic match tunnel source and destination) <--> Cisco ASA 5505 (IPsec Tunnel, intresting traffic tunnel source and destination) <--> Cisco_SWITCH(BGP, with the GRE TUnnel)

When ever users tries to ping or use https/http sites, ssh packets are lost, users not able to browse or ssh to other site of the tunnel. 

When i check the policy on PA i see bunhc of ips with destination or source of the GRE tunnel ends. Also i tried to lower MTU values on PA site (MTU on Tunnel site are alredy set to 1400) i went and lower it down MTU on ipsec tunnel on PA to 1368, but still not go. 

Anyone is doing similar to this set up, i want to add it that this is migration from ASA5505 to PA, when backout was executed to ASA everything is back to normal, NATttin is done to exclude those IPs of head end tunnels. In my understanding all packets would be encapsulated inside of GRE tunnel on Cisco Switches, correct? If that would be case why i see IPs pn policy that targetting the end tunnel? Any help would be very approciated it. 

0 Likes Likes
0 REPLIES 0
  • 281 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks