Community discussions

 
swits1109
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sat Sep 10, 2016 6:03 pm

GRE Tunnel - TCP or UDP

Tue Dec 04, 2018 5:03 am

I've been having a hell of a time with VPN tunnels lately. ATT uverse modems seem to be actively blocking IPSEC and almost every type of VPN tunnel except PPTP, which was working for several years until recently and it now no longer works. ATT released a firmware update to modem which blocks it. Now, I tried OVPN but the performance was TERRIBLE! We are pushing video from 10 live HD cameras and lots of packet loss and just strange dropouts that don't exist with PPTP. PPTP worked perfectly but OVPN didn't work reliably at all. I assume this is because the TCP-over-TCP problem. PPTP ping times were consistent 70ms. OVPN was 150ms-250ms all over the place. Internet is not the problem as there is very solid gigabit fiber at both sites, just the originating site has pesky ATT modem with blocking.

I finally got everything switched over to GRE which does indeed work through the ATT modem. Throughput seems fine, but I am noticing dropouts. This isn't nearly as bad as the OVPN, but every few minutes a camera will drop out for 5 seconds then come back online. This didn't happen with PPTP. We are also not using IPSEC, just straight GRE. Does GRE have the same TCP-over-TCP problem, or is there any way to get better performance from it?
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: GRE Tunnel - TCP or UDP

Tue Dec 04, 2018 5:40 am

GRE (IP protocol 47) is neither TCP (IP protocol 6) nor UDP (IP protocol 17).

GRE does not contain any mechanism for reliability check like TCP (which guarantee that data will come valid and in order, or not at all) or UDP (which guarantee that data will come valid or not at all).
GRE has OPTIONAL fields for checksum and sequence number. However, if those fields are used and receiving router find they are wrong (either sequence number shows out-of-order packet or checksum shows malformed packet) then packet SHOULD be discarded. GRE will not ask for packet re-transmission.

In terms of your issue, it shouldn't be really caused by GRE as it does not suffer of any issues like TCP based VPNs. GRE simply encapsulate packet in another header and sends it to destination. Whole flow control is left on receiver/transmitter of original packets.
I would recommend to run ping on both outer and inner IP to confirm, if there really is drop and where it originates. In addition you can further check the issue by running packet sniffer to see if packets really stop coming.
 
swits1109
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sat Sep 10, 2016 6:03 pm

Re: GRE Tunnel - TCP or UDP

Wed Dec 05, 2018 9:25 pm

So I have confirmed that the GRE tunnel stays up and does not drop. Pings run fine for a full day without dropping. The problem was that traffic drops randomly.

One thing I noted is that GRE uses a LOT less CPU than PPTP. A HEX router would run at 60% CPU when pushing only 25mb/s through PPTP. Through GRE, the same traffic keeps CPU only around 8%! Granted, there's no IPSEC here.

The solution to this seems to be the MTU. When I set the MTU to be 1500 like in this screenshot, it seems to work fine. Still some dropouts, but rare
Image

Who is online

Users browsing this forum: Google [Bot], webbsolution and 65 guests