000035328 - If I connect via a tunnel what needs to be considered when connecting a core appliance to RSA Security Analytics?

Document created by RSA Customer Support Employee on Aug 19, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035328
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.4, 10.5, 10.6
IssueWhen adding an appliance that has to connect through a tunnel you may have to consider the GRE (Generic Routing Encapsulation) and MTU (Maximum Transmission Unit) and reconfigure the network interface MTU settings.
CauseGRE packets and headers are formed at its origination.  The headers are 24-bytes in length.  Depending on the original size of the packet you may run into IP MTU problems during packet reassembly.
ResolutionFor more information and examples of this please review Cisco documentation on resolving IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC.
If a core appliance has to go through a tunnel to be added to the Security Analytics server and cannot connect due to a lower IP MTU tunnel configuration then the MTU on the Security Analytics server network interface will need to be modified.  This is configured in the /etc/sysconfig/network-scripts/ifcfg-<eth0> file as shown below.
[root@SA-SERVER ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
[root@SA-SERVER ~]# ifdown eth0
[root@SA-SERVER ~]# ifup eth0

<eth0> - This is the network interface receiving the traffic
MTU=1320 - MTU configuration has been reduced to 1320 because by default the MTU is 1500 whereas the tunnel has the IP MTU configured for 1296 bytes and not 1476 bytes; it leaves room for 24 bytes for the GRE header.  Be sure to get with the administrator of the tunnel to understand what the IP MTU is set at on the router.