Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco VPN MTU Issues

Status
Not open for further replies.
goulin1

goulin1

Technical User
Dec 5, 2006
17
AU
Hi,

I am having issues with bringing up Cisco VPN sessions and I am sure that it is an MTU issue.

We have successfully been using IPSec over UDP to a VPN Concentrator which has a DSL Internet connection, and it has been working over all types of connections (including DSL).

We are now looking at using IPSec over TCP, using the same VPN Concentrator and DSL connection. It seems to work fine with users from cable/Ethernet type Internet connections, but doesn't work with users on DSL type connections.

I tried setting the users MTU on the DSL modem to 1200 bytes and used the Set MTU utility to set the MTU to 576 but half of our applications won't work. When we were using 1300 bytes on the modem and 1200 on the client, nothing would work.

Is there an ideal setting for the MTU for DSL connections? I tried a various combinations of MTUs but no luck.

Also, I got the following syslog message which is related:

6|Mar 07 2007 11:39:42|602101: PMTU-D packet 1420 bytes greater than effective mtu 1362, dest_addr=10.19.201.44, src_addr=172.19.88.40, prot=TCP

Hopefully someone has the answer.

Thanks,
goulin1
 
Sort by date Sort by votes
I have had alot of problems with mtu on ciscos 870/1800 series. I have used the ping command to determine what mtu to use. Never had the problem with pix/asa and the only concentrator i have configured.

ping -l -f "mtu size" "ip"

The f shows fragment information
 
Upvote 0 Downvote
May want to try clearing the DF Bit so the packet can be fragmented. Some applications may have it set.

crypto ipsec df-bit clear-df outside

Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
NetworkGhost,

Thanks for the advice - the 'crypto ipsec df-bit clear-df' works perfectly. The funny thing was that the VPN hosts could access half the servers but not the other half - stupid Windows servers, probably wouldn't have happened if we used Unix. :p
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
336
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
95
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
275
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
375
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
223
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top