|Applies To||RSA Product Set: Security Analytics, NetWitness Logs & Packets|
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.4, 10.5, 10.6
|Issue||When adding an appliance that has to connect through a tunnel you may have to consider the GRE (Generic Routing Encapsulation) and MTU (Maximum Transmission Unit) and reconfigure the network interface MTU settings.|
|Cause||GRE packets and headers are formed at its origination. The headers are 24-bytes in length. Depending on the original size of the packet you may run into IP MTU problems during packet reassembly.|
|Resolution||For more information and examples of this please review Cisco documentation on resolving IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC.|
If a core appliance has to go through a tunnel to be added to the Security Analytics server and cannot connect due to a lower IP MTU tunnel configuration then the MTU on the Security Analytics server network interface will need to be modified. This is configured in the /etc/sysconfig/network-scripts/ifcfg-<eth0> file as shown below.
[root@SA-SERVER ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
<eth0> - This is the network interface receiving the traffic
MTU=1320 - MTU configuration has been reduced to 1320 because by default the MTU is 1500 whereas the tunnel has the IP MTU configured for 1296 bytes and not 1476 bytes; it leaves room for 24 bytes for the GRE header. Be sure to get with the administrator of the tunnel to understand what the IP MTU is set at on the router.