TMS zl Management and Configuration Guide ST.1.1.100430
7-187
Virtual Private Networks
Generic Routing Encapsulation (GRE) Concepts
Similarly, when you configure a redundant GRE tunnel, you must configure
routes to remote networks through the redundant tunnel interface as well.
However, to ensure that the primary tunnel is used whenever possible, you
should configure the routes that use the redundant tunnel as floating static
routes (or floating default routes), which have a higher administrative dis-
tance (or the same administrative distance and a higher metric) than a primary
static route or a higher administrative distance than a primary dynamic
route.
Maximum Segment Size (MSS) for TCP Connections
As you learned, a GRE header is added to packets sent over a GRE tunnel. The
GRE header increases the size of the total frame and may make the packet
larger than the maximum transmission unit (MTU) of a router that lies
between the module and the remote tunnel endpoint. In that case, and if the
router does not allow fragmentation, the router will drop the frame, interfering
with communication across the tunnel.
To avoid this problem, you should configure the TMS zl Module to negotiate
a smaller maximum segment size (MSS) for TCP connections associated with
traffic sent over the GRE tunnel. For example, the smallest MTU in the path
between the TMS zl Module and remote tunnel endpoint is 1500 bytes. The
GRE header and the delivery IP header add 24 bytes to packets in addition to
the 40 bytes added by standard TCP and IP headers. In this case, set the MSS
to 1436 bytes or smaller. (When you use GRE with IPsec, you must set the MSS
smaller still.) You set the MSS on the Advanced tab of the firewall access policy
associated with traffic sent over the GRE tunnel.
For more information on the TCP MSS, see the introduction to “Firewall
Access Policies” on page 4-22 of Chapter 4: “Firewall.”