Re: [SQU] More on WCCP and truncated GRE packets. --HELP

From: Henrik Nordstrom <>
Date: Thu, 14 Dec 2000 08:47:08 +0100

Nathan Lewis wrote:

> 17:24:28.880017 eth0 < gre-proto-0x883E (gre encap)
> 17:24:29.183191 eth0 < truncated-ip - 24 bytes missing!gre-proto-0x883E (gre encap)

> truncated packets start coming in - ip_wccp ignores them - no
> unencapsulated packets come through.

Your problem very much looks like the IOS problem another user found
some month ago.

He found WCCP a Cisco 2621 gave truncated packets when using certain IOS
version, sometimes even down to the IP header of the encapsulated

From trying different IOS versions he found that:

  IOS 12.1-3a did not work and gave truncated packets

  IOS 12.0-7T and IOS 12.1-5 worked fine.

One example of a serverely truncated packet:

16:25:02.006781 < truncated-ip - 28 bytes missing!gre XX.XX.XX.XX
XX.XX.XX.XX: [] gre-proto-0x883E (ttl 255, id 146)
                  4500 004a 0092 0000 ff2f 1af4 XXXX XXXX
                  XXXX XXXX 0000 883e 4500 0028 c717 4000
                  7e06 9a62 XXXX XXXX 0000 0000 0000

And the few packets that got thru the router non-truncated quite often
had a couble of random garbage appended after the encapsulated packet.

Example with 2 bytes of garbage:

16:25:01.403410 < gre XX.XX.XX.XX > XX.XX.XX.XX: [] gre-proto-0x883E
(ttl 255, id 144)
                  4500 0046 0090 0000 ff2f 1afa XXXX XXXX
                  XXXX XXXX 0000 883e 4500 002c 5120 4000
                  1e06 db58 XXXX XXXX cff6 90ce 060a 0050
                  0072 f010 0000 0000 6002 2000 50f6 0000
                  0204 05b4 6a2f

The above tcpdumps are using the -x option to have the received packet
dumped, and -s 1600 to make sure all of the packet is captured.

And MTU should rarely cause problems like this. It might cause
fragmented packets and performance loss, but not truncated packets. I
don't know at which level Cisco performs the fragmentation when doing
GRE encapsulation (i.e. if before encapsulation, or after), but it
should work either way. From a TCP/IP point of view if would be best if
the fragmentation was done on the original packet and honouring the DF
bit. This way MSS detection would work just as usual.

Henrik Nordstrom
Squid hacker
To unsubscribe, see
Received on Thu Dec 14 2000 - 01:27:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:58 MST