Jump to content
Калькуляторы

mikrotik cisco gre

между 2 офмсами создан gre туннель между mikrotik и cisco. mikrotik стоит в центральном офисе cisco в филиале.

если запустить ping из центрального офиса в филиал то он проходит

H:\>ping 196.192.1.200

Обмен пакетами с 196.192.1.200 по с 32 байтами данных:
Ответ от 196.192.1.200: число байт=32 время=9мс TTL=62
Ответ от 196.192.1.200: число байт=32 время=8мс TTL=62
Ответ от 196.192.1.200: число байт=32 время=9мс TTL=62
Ответ от 196.192.1.200: число байт=32 время=9мс TTL=62

так же проходит ping и из филиала

 ping 172.16.0.111
PING 172.16.0.111 (172.16.0.111): 56 data bytes
64 bytes from 172.16.0.111: icmp_seq=0 ttl=126 time=9.141 ms
64 bytes from 172.16.0.111: icmp_seq=1 ttl=126 time=8.887 ms
64 bytes from 172.16.0.111: icmp_seq=2 ttl=126 time=9.317 ms
64 bytes from 172.16.0.111: icmp_seq=3 ttl=126 time=9.127 ms

но если пробывать подключится через ssh то подключение не проходит Wireshark с клинета 172.16.0.111 показывает

8980	4.581345000	172.16.0.111	196.192.1.200	TCP	66	59204 > ssh [sYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
8992	4.590978000	196.192.1.200	172.16.0.111	TCP	66	ssh > 59204 [sYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=64 SACK_PERM=1
8993	4.591002000	172.16.0.111	196.192.1.200	TCP	54	59204 > ssh [ACK] Seq=1 Ack=1 Win=65700 Len=0
9007	4.612588000	196.192.1.200	172.16.0.111	SSHv2	101	Server Protocol: SSH-2.0-OpenSSH_6.4_hpn13v11 FreeBSD-20131111\r
9008	4.612735000	172.16.0.111	196.192.1.200	SSHv2	75	Client Protocol: SSH-2.0-PuTTY_KiTTY\r
9009	4.612760000	172.16.0.111	196.192.1.200	SSHv2	726	Client: Key Exchange Init
9021	4.622653000	196.192.1.200	172.16.0.111	TCP	60	ssh > 59204 [ACK] Seq=48 Ack=694 Win=65024 Len=0
9022	4.623022000	196.192.1.200	172.16.0.111	TCP	138	[TCP Previous segment not captured] [TCP segment of a reassembled PDU]

конфиг cisco

show interfaces tunnel 23

Tunnel23 is up, line protocol is up
 Hardware is Tunnel
 Description: megafon_to_dm_microtik
 Internet address is 10.0.93.2/30
 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
    reliability 255/255, txload 68/255, rxload 255/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel source 85.26.x.x (FastEthernet0/0), destination 91.216.x.x
  Tunnel Subblocks:
     src-track:
        Tunnel23 source tracking subblock associated with FastEthernet0/0
         Set of tunnels with source FastEthernet0/0, 3 members (includes iterators), on interface <OK>
 Tunnel protocol/transport GRE/IP
   Key disabled, sequencing disabled
   Checksumming of packets disabled
 Tunnel TTL 255, Fast tunneling enabled
 Tunnel transport MTU 1476 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Last input 00:00:16, output 00:01:24, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 87538
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 103000 bits/sec, 24 packets/sec
 5 minute output rate 27000 bits/sec, 26 packets/sec
    20734093 packets input, 46703584 bytes, 0 no buffer
    Received 0 broadcasts (0 IP multicasts)
    0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    20852206 packets output, 3088826801 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out

с mikrotik

 /interface> print detail
name="megafon" type="gre-tunnel" mtu=1476 l2mtu=65535 fast-path=no
/ip address> print detail
address=10.0.93.1/30 network=10.0.93.0 interface=megafon actual-interface=megafon 
/ip firewall filter> print  detail
Flags: X - disabled, I - invalid, D - dynamic 
0   ;;; out
    chain=output action=accept protocol=udp 

1   chain=output action=accept protocol=tcp 

2   ;;; Allow IPSec-esp
    chain=input action=accept protocol=ipsec-esp 

3   ;;; Allow IKE
    chain=input action=accept protocol=udp dst-port=500 

4   ;;; Allow IPSec-ah
    chain=input action=accept protocol=ipsec-ah 

5   ;;; icp_input
    chain=input action=accept protocol=icmp 

6   ;;; www
    chain=input action=accept protocol=tcp dst-port=80 

7   chain=input action=accept protocol=tcp dst-port=443 

8   ;;; access to winbox
    chain=input action=accept protocol=tcp in-interface=ether1 dst-port=8291 

9   chain=input action=accept protocol=tcp in-interface=ether2 dst-port=8291 

10   chain=input action=accept connection-state=new protocol=tcp dst-port=8291,65522 

11   ;;; dns
    chain=input action=accept protocol=udp dst-port=53 

12   chain=input action=accept protocol=tcp dst-port=53 

13   ;;; pptp
    chain=input action=accept protocol=tcp dst-port=1723 

14   ;;; gre
    chain=input action=accept protocol=gre 

15   chain=output action=accept protocol=gre 

16   ;;; sip
    chain=input action=accept protocol=udp dst-port=5060-5070 

17   chain=input action=accept protocol=tcp dst-port=5060-5070 

18   chain=input action=accept protocol=udp dst-port=17000-30000 

19   chain=input action=accept protocol=tcp dst-port=17000-30000 

20   ;;; ssh
    chain=input action=accept protocol=tcp dst-port=22 

21 X ;;; drop ssh brute forcers
    chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

22 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=3h dst-port=22 

23 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 

24 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

25 X chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

26   ;;; drop_all
    chain=input action=drop protocol=tcp in-interface=ether1 

27   chain=input action=drop protocol=udp in-interface=ether1 

Edited by svetogor82

Share this post


Link to post
Share on other sites

По-пингуйте пакетами бОльшего размера. :)

Share this post


Link to post
Share on other sites

MTU с обоих сторон правильный выставить...

Share this post


Link to post
Share on other sites

вот с хоста 172.16.0.111

^C
H:\>ping 196.192.1.200 -l 1500

Обмен пакетами с 196.192.1.200 по с 1500 байтами данных:
Ответ от 196.192.1.200: число байт=1500 время=12мс TTL=61
Ответ от 196.192.1.200: число байт=1500 время=12мс TTL=61
Ответ от 196.192.1.200: число байт=1500 время=12мс TTL=61
Ответ от 196.192.1.200: число байт=1500 время=12мс TTL=61

вот с хоста 196.192.1.200

 ping -s 1500 172.16.0.111
PING 172.16.0.111 (172.16.0.111): 1500 data bytes
1508 bytes from 172.16.0.111: icmp_seq=0 ttl=126 time=12.606 ms
1508 bytes from 172.16.0.111: icmp_seq=1 ttl=126 time=12.511 ms
1508 bytes from 172.16.0.111: icmp_seq=2 ttl=126 time=12.463 ms
1508 bytes from 172.16.0.111: icmp_seq=3 ttl=126 time=12.354 ms

 

MTU с обоих сторон правильный выставить...

с обоих сторон mtu стоит 1476

Share this post


Link to post
Share on other sites

поставил mtu с двух сторон

на cisco 1416

interface Tunnel23
description megafon_to_dm_microtik
ip address 10.0.93.2 255.255.255.252
ip mtu 1416
tunnel source FastEthernet0/0
tunnel destination 91.216.x.x

show interfaces tunnel 23

Tunnel23 is up, line protocol is up
 Hardware is Tunnel
 Description: megafon_to_dm_microtik
 Internet address is 10.0.93.2/30
 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
    reliability 255/255, txload 91/255, rxload 168/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel source 85.26.x.x (FastEthernet0/0), destination 91.216.x.x
  Tunnel Subblocks:
     src-track:
        Tunnel23 source tracking subblock associated with FastEthernet0/0
         Set of tunnels with source FastEthernet0/0, 3 members (includes iterators), on interface <OK>
 Tunnel protocol/transport GRE/IP
   Key disabled, sequencing disabled
   Checksumming of packets disabled
 Tunnel TTL 255, Fast tunneling enabled
 Tunnel transport MTU 1476 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Last input 00:00:37, output 00:02:46, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 87984
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 66000 bits/sec, 27 packets/sec
 5 minute output rate 36000 bits/sec, 29 packets/sec
    20934271 packets input, 102921436 bytes, 0 no buffer
    Received 0 broadcasts (0 IP multicasts)
    0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    21077941 packets output, 3127305372 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out

а cisco соровно говорит что Tunnel transport MTU 1476 bytes

Share this post


Link to post
Share on other sites

Сталкивались с похожей проблемой, только у нас платформа MTU 1452 Byte, ну и 48 Byte хедеры. Попробуйте поменять MSS. Также, попробуйте для теста повысить MTU до 1500 Byte на Link. Нужно тестить.

Share this post


Link to post
Share on other sites

у меня решилась проблемма

interface Tunnel23
description megafon_to_dm_microtik
ip address 10.0.93.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination 91.216.x.x

после этого тунель поднялся

Share this post


Link to post
Share on other sites

1460 рабочий вариант...

 

Ну или да, менять MSS.

Edited by myst

Share this post


Link to post
Share on other sites

1460 рабочий вариант...

 

Ну или да, менять MSS.

подтверждаю, с MTU 1460 на Cisco и стандартно выставляемым MTU 1476 на Микротик проблем не наблюдается. MSS нигде не ставлю.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this