Common Tunnel Issues

There are a number of tunnel-specific issues that can cause issues when using a Core Transit tunnel service.  

MTU / Fragmentation Problems

  • Cause: The added encapsulation overhead can cause packets to exceed the Maximum Transmission Unit (MTU) size.
  • Symptoms: Packet loss, slow or hanging connections, especially for large packets or HTTPS traffic.
  • Fix: Lower the MTU on tunnel interfaces (e.g., to 1400), enable TCP MSS clamping, or use Path MTU Discovery carefully.

A Note about Asymmetric Routing and MSS

If there is a chance your environment could experience asymmetric routing you will want to keep these issues in mind as well.  For instance, if your network has a standard 1500 byte MTU primary connection and a Core Transit tunnel as a secondary path, MSS clamping on the tunnel interface will not impact TCP SYN packets that ingress toward your network over the the primary connection.  This can created a problem for the asymmetic response packets going over the small MTU tunnel path when initiated on the larger MTU connection  

This can be solved a few ways:

If you want to allow traffic asymmetric, you can just adjust MSS adjustment for all interfaces

If you don't want to lose those extra bytes of overhead, adjust MSS only on the tunnel but ensure upstream routing is always active/standby where the tunnel is never taking traffic as same time as your native "primary" Internet connection.

To control routing to avoid asymmetric routing you can advertise your prefixes with BGP community 1097:2000 to have Core Transit AS prepend and lower the local preference. More BGP community details can be found here.

NAT Traversal Issues

  • Cause: Many internet connections use NAT or CGNAT, which often interferes with GRE tunnels.
  • Symptoms: Tunnel fails to establish, or traffic is one-way.
  • Fix: Use a Wire Guard or L2TP connection when connecting from behind NAT.  These protocols will have connections tracked by NAT to bring the return traffic back to the device that initiated the connection.

Recursive Routing / Looping

  • Cause: Tunnel traffic being routed into itself (e.g., tunnel endpoint behind the same tunnel). This is the case when you have two default routes (underlying and a default into the tunnel)
  • Symptoms: Tunnel flaps, high latency, timeouts or loops.
  • Fix: Exclude tunnel destination IP's from being routed into the tunnel. You can do this by making a more specific route to the tunnel server endpoint IP, or with a policy route to match the tunnel traffic and push it out the underlying connection while all other traffic is tunneled.

Misconfigured Routing

  • Cause: Incorrect static routes or missing route redistribution.
  • Symptoms: Tunnel up, but no traffic passes, or traffic routes outside the tunnel.
  • Fix: Verify route tables, default routes, and policy-based routing rules.

BGP Session Will Not Establish

  • Cause:The BGP session does not have proper routing reachability. Core Transit BGP sessions use multihop because our side of the session always runs on a loopback interface vs the directly attached tunnel interface. 
  • Symptoms: BGP session will not establish
  • Fix: Add an IPv4 /32 route into the tunnel toward the Core Transit BGP session IP.  Ensure when you ping our BGP session IP address to confirm connectivity you are reaching it through the tunnel vs over the public internet.

L2TP Tunnel Timing Out

  • Cause:  Our L2TP system used the idle-timeout setting and it is set to 300 seconds (5 minutes)
  • Symptoms: L2TP tunnels time out on a regular interval (5 minutes)
  • Fix: Ensure traffic is being routed into the tunnel.  If routing is correct and there are occasions of no input traffic (customer toward Core Transit) consider adding a probe to generate a packet more frequently than every five minutes.  It's very unusual to not see a traffic so ensure routing is correct if you see this issue.

L2TP Tunnel Being Dropped

  • Cause: An L2TP Tunnel is configured on more than one client / customer devices  
  • Symptoms: L2TP tunnel drops randomly and frequently. 
  • Fix: Ensure there is not a second device configured with the same L2TP credentials.  Only a single tunnel can be active at a time and attempting to authenticate with two devices will cause the first device to loose connectivity when the second connects.  It is the customer's responsibility to know where the tunnel is configured. 

Geo IP Location Details are Incorrect

  • Cause: Your IP Addresses are not updated with the common Geo IP providers.
  • Symptoms: Denied access to some streaming resources, seeing web pages displayed in non local languages,
  • Fix: If you control the IP space update it with the Geo IP providers and/or add it to a Geo IP feed.  If the IP space is Core Transit provided open a case and we will update the Geo feed details for you.  Please allow several weeks for Geo IP updates to disseminate to all Geo Providers globally.

 

 

 

 

Ha estat útil la resposta? 1 Els usuaris han Trobat Això Útil (1 Vots)