A problem was reported to me with MS Exchange failing to connect server to server, which I traced (with sniffer) to an MTU issue. Large frames when encrypted exceed the MTU for one of the Ethernet segments. The link is via a PIX 6.3 to IOS router.
I tried various settings on the servers, following MS recommendations, but no success. The PIX is issuing the ICMP unreachable following the receipt of a large fame. The PMTU detect dosent appear to work and the black hole detection reduces the offered frame size, but not by enough to reduce the encrypted frame size to be sent to the Ethernet.
I found the `sysopt connection TCPmss nnnn' command, a similar command in IOS `sniffs' the TCP set up and injects the value set by the command. However the PIX OS version dosent make any differenc.
My solution is to update the VPN router IOS at the remote site, can anyone think of an alternative to this?
I tried various settings on the servers, following MS recommendations, but no success. The PIX is issuing the ICMP unreachable following the receipt of a large fame. The PMTU detect dosent appear to work and the black hole detection reduces the offered frame size, but not by enough to reduce the encrypted frame size to be sent to the Ethernet.
I found the `sysopt connection TCPmss nnnn' command, a similar command in IOS `sniffs' the TCP set up and injects the value set by the command. However the PIX OS version dosent make any differenc.
My solution is to update the VPN router IOS at the remote site, can anyone think of an alternative to this?
