4

I have a number of VPN sites where the MTU is lower than standard (1500). I have had at least one site where fragmentation of packets has had an effect on the success of building an IPSEC tunnel.

I am able to set the MTU on the equipment at the remote sites. However, at head office I wouldn't want to set the MTU to the lowest common denominator.

Is there a way of setting an MTU lower for traffic destined to a specific IP address?

Is fragmentation something I need to worry about for functioning VPN connections? Is it worth addressing this where I don't have problems?

HQ equipment is an ASA 5510. Remote sites have ASA 5505.

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • Not that I know of.. virtual tunnel interfaces would sure be nice. Try `crypto ipsec df-bit clear-df outside`, to let everything fragment? Also, do the tunnels successfully do path MTU discovery? (the `#PMTUs ...` line of the `sh crypto ipsec sa` command) – Shane Madden Aug 03 '11 at 19:44
  • Turn that into an answer and I can award you points! – dunxd Aug 04 '11 at 10:56
  • Nice, glad it helped! Was it the df-bit, or did the path discovery lead you in a direction that helped solve it? – Shane Madden Aug 04 '11 at 14:37
  • Actually, neither in the end. I ended up doing a manual test of the path MTU to all of my remote sites and found they were all 1300. So I didn't need to do what I thought. Still, learnt something though :-) – dunxd Aug 04 '11 at 15:08

1 Answers1

1

Not that I know of.. virtual tunnel interfaces would sure be nice.

Try crypto ipsec df-bit clear-df outside, to let everything fragment - this won't really fix MTU issues, but it'll work around them by letting packets fragment instead of dropping.

Also, do the tunnels successfully do path MTU discovery? MTU issues in the path should get a path MTU ICMP response, which should trigger the tunnel to dynamically adjust its MTUs (the #PMTUs ... line of the sh crypto ipsec sa command).

Shane Madden
  • 112,982
  • 12
  • 174
  • 248