https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248213#M1118872 <P>Version 7.4.2.1 of FTD.&nbsp; Running FMC version 7.4.2.1</P><P>Thanks</P> Thu, 16 Jan 2025 17:40:58 GMT Ricky Sandhu 2025-01-16T17:40:58Z https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248155#M1118865 <P>Hi all,&nbsp; I have a client PC which occasionally needs to upload large amount of data to a server at another company who we have an IPSEC VPN tunnel with.&nbsp; I have attached a rough drawing of this setup.&nbsp; We recently upgraded from an ASA to Cisco FTD appliance.&nbsp; Client is sitting on the internal network connected to E1/1 and the VPN appliance sits inside the DMZ.&nbsp; I am running into issues with the MTU.&nbsp; From the client, I can't ping the server with packets larger than 1379 bytes.&nbsp; Smaller packets have no issues getting through.</P><P>I understand IPSEC adds additional overhead which should be taken into account.&nbsp; In the past, on IOS routers, I have been able to configure things like path MTU, and even decreased TCP MSS down to 1360 bytes but I have no idea how to do this on the FTD.&nbsp; I did refer to Cisco documents and configured Flex policy where I changed the default TCPMSS on the FTD to 1360 however client is still having issues.&nbsp; What am I doing wrong?&nbsp; Please advise.&nbsp; Thank you for your support.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MTL-VPN.png" style="width: 702px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/237735i6604370C23B8EB02/image-dimensions/702x445?v=v2" width="702" height="445" role="button" title="MTL-VPN.png" alt="MTL-VPN.png" /></span></P> Thu, 16 Jan 2025 15:42:17 GMT https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248155#M1118865 Ricky Sandhu 2025-01-16T15:42:17Z https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248199#M1118871 <P>Version?&nbsp; Platform?&nbsp; FMC or FDM?</P> Thu, 16 Jan 2025 17:22:48 GMT https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248199#M1118871 ahollifield 2025-01-16T17:22:48Z https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248213#M1118872 <P>Version 7.4.2.1 of FTD.&nbsp; Running FMC version 7.4.2.1</P><P>Thanks</P> Thu, 16 Jan 2025 17:40:58 GMT https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248213#M1118872 Ricky Sandhu 2025-01-16T17:40:58Z https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248959#M1118915 <H5 class="title sectiontitle">Each VPN have it PMTU to dynamically adjust the MTU<BR />the config of PMTU you can find in IPsec setting&nbsp;&nbsp;</H5> <H5 class="title sectiontitle">Advanced &gt; IPsec &gt; IPsec Settings</H5> <DL class="dl"> <DT class="dt dlterm">Enable Fragmentation Before Encryption</DT> <DD class="dd">This option lets traffic travel across NAT devices that don’t support IP fragmentation. It doesn’t impede the operation of NAT devices that do support IP fragmentation.</DD> <DT class="dt dlterm">Path Maximum Transmission Unit Aging</DT> <DD class="dd">Check to enable Path Maximum Transmission Unit (PMTU) Aging, the interval to reset the PMTU of a Security Association (SA).</DD> <DT class="dt dlterm">Value Reset Interval</DT> <DD class="dd">Enter the number of minutes at which the PMTU value of an SA is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.</DD> </DL> Sat, 18 Jan 2025 13:53:54 GMT https://community.cisco.com/t5/network-security/mtu-issues-with-a-vpn-appliance-connecting-through-ftd/m-p/5248959#M1118915 MHM Cisco World 2025-01-18T13:53:54Z