CISCO官方配置手册GRE+Tunnel

TableofContentsWhyCan'tIBrowsetheInternetwhenUsingaGRETunnel?.....................................................................1DocumentID:13725................................................................................................................................1Introduction..........................................................................................................................................................1Prerequisites.........................................................................................................................................................1Requirements..........................................................................................................................................1ComponentsUsed...................................................................................................................................1Conventions............................................................................................................................................1PacketFragmentationandICMPMessages........................................................................................................1BlockedICMPMessages.....................................................................................................................................3Solutions.................................................................................................................................................3FurtherSolutions.....................................................................................................................................3RelatedInformation.............................................................................................................................................4Cisco−WhyCan'tIBrowsetheInternetwhenUsingaGRETunnel?iWhyCan'tIBrowsetheInternetwhenUsingaGRETunnel?DocumentID:13725IntroductionPrerequisitesRequirementsComponentsUsedConventionsPacketFragmentationandICMPMessagesBlockedICMPMessagesSolutionsFurtherSolutionsRelatedInformationIntroductionSometimeswhentrafficgoesthroughagenericroutingencapsulation(GRE)tunnel,youcansuccessfullyusethepingcommandandTelnet,butyoucannotdownloadInternetpagesortransferfilesusingFileTransferProtocol(FTP).Thisdocumentexplainsacommonreasonforthisproblem,andoffersseveralworkarounds.PrerequisitesRequirementsThisdocumentrequiresabasicunderstandingofGRE.RefertothefollowingdocumentstolearnmoreaboutGRE:GenericRoutingEncapsulation•TheConfiguringaGRETunnelsectionofSite−to−SiteandExtranetVPNBusinessScenarios•ComponentsUsedThisdocumentisnotrestrictedtospecificsoftwareandhardwareversions.Tofindadditionalinformationonthecommandsusedinthisdocument,usetheCommandLookupTool(registeredcustomersonly).ConventionsFormoreinformationondocumentconventions,seetheCiscoTechnicalTipsConventions.PacketFragmentationandICMPMessagesThisdocumentusesthefollowingnetworkdiagramasanexample:Cisco−WhyCan'tIBrowsetheInternetwhenUsingaGRETunnel?Inthediagramabove,whentheClientwantstoaccessapageontheInternet,itestablishesaTCPsessionwiththeWebServer.Duringthisprocess,theClientandWebServerannouncetheirmaximumsegmentsize(MSS),indicatingtoeachotherthattheycanacceptTCPsegmentsuptothissize.UponreceivingtheMSSoption,eachdevicecalculatesthesizeofthesegmentthatcanbesent.ThisiscalledtheSendMaxSegmentSize(SMSS),anditequalsthesmallerofthetwoMSSs.FormoreinformationaboutTCPMaximumSegmentSize,seeRFC879.Forthesakeofargument,let'ssaytheWebServerintheexampleabovedeterminesthatitcansendpacketsupto1500bytesinlength.Itthereforesendsa1500bytepackettotheClient,and,intheIPheader,itsetsthedon'tfragment(DF)bit.WhenthepacketarrivesatR2,theroutertriesencapsulatingitintothetunnelpacket.InthecaseoftheGREtunnelinterface,theIPmaximumtransmissionunit(MTU)is24byteslessthantheIPMTUoftherealoutgoinginterface.ForanEthernetoutgoinginterfacethatmeanstheIPMTUonthetunnelinterfacewouldbe1500minus24,or1476bytes.R2istryingtosenda1500byteIPpacketintoa1476byteIPMTUinterface.Sincethisisnotpossible,R2needstofragmentthepacket,creatingonepacketof1476bytes(dataandIPheader)andonepacketof44bytes(24bytesofdataandanewIPheaderof20bytes).R2thenGREencapsulatesbothofthesepacketstoget1500and68bytepackets,respectively.Thesepacketscannowbesentouttherealoutboundinterface,whichhasa1500byteIPMTU.However,rememberthatthepacketreceivedbyR2hastheDFbitset.Therefore,R2can'tfragmentthepacket,andinstead,itneedstoinstructtheWebServertosendsmallerpackets.ItdoesthisbysendinganInternetControlMessageProtocol(ICMP)type3code4packet(DestinationUnreachable;FragmentationNeededandDFset).ThisICMPmessagecontainsthecorrectMTUtobeusedbytheWebServer,whichshouldreceivethismessageandadjustthepacketsizeaccordingly.Note:RefertoImportantInformationonDebugCommandsbeforeyouusedebugcommands.WecanviewtheICMPmessagessentbyR2byenablingthedebugipicmpcommand:ICMP:dst(10.10.10.10)frag.neededandDFsetunreachablesentto10.1.3.4Cisco−WhyCan'tIBrowsetheInternetwhenUsingaGRETunnel?BlockedICMPMessagesAcommon