PMTU-D packet 1420 bytes greater than effective mtu 1396,

Joe Montes — Mon, 11 Mar 2019 18:08:46 GMT

Hi there,

Recently received an ASA5510 for testing and just installed it on my home dsl service. I can go to certain web sites but on certain sites I can not. I've followed some of the postings and also this one, http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml.

I had a SonicWALL and a Netscreen firewal before and both of them just worked fine. I'm no ASA expert so apologies in advance.

ASA Version 8.3(1)
!
hostname asa
domain-name montes.com.au

names
!
interface Ethernet0/0
description external interface
speed 100
duplex full
nameif outside
security-level 0
pppoe client vpdn group tpg
ip address pppoe setroute
!
interface Ethernet0/1
description DV Network
speed 1000
duplex full
nameif inside
security-level 100
ip address 172.28.8.254 255.255.255.0
!
interface Ethernet0/2
description Cisco Virtual Office
speed 100
duplex full
nameif work
security-level 100
ip address 172.28.7.33 255.255.255.224
!
interface Ethernet0/3
description lab & test network
speed 100
duplex full
nameif lab
security-level 100
ip address 172.28.7.30 255.255.255.224
!
interface Management0/0
speed 100
duplex full
nameif mgmt
security-level 100
ip address 172.28.7.129 255.255.255.224
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name montes.com.au
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network L3_WLAN
subnet 172.28.7.160 255.255.255.224
description L3 WLAN
object network L1_WLAN
subnet 172.28.7.64 255.255.255.224
description L1 WLAN
object-group network DVNET_Network
network-object 172.28.7.0 255.255.255.224
network-object 172.28.7.128 255.255.255.224
network-object 172.28.7.32 255.255.255.224
network-object 172.28.8.0 255.255.255.0
network-object object L1_WLAN
network-object object L3_WLAN
access-list http-list2 extended permit tcp any any log
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended deny icmp any any
access-list 101 extended permit ip any any
!
tcp-map mss-map
!
pager lines 24
logging enable
logging timestamp
logging asdm debugging
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu work 1400
mtu lab 1400
mtu mgmt 1400
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (lab,outside) source dynamic any interface
nat (work,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic L1_WLAN interface dns
nat (inside,outside) source dynamic L3_WLAN interface dns
access-group 101 in interface outside
route inside 172.28.7.64 255.255.255.224 172.28.8.66 1
route inside 172.28.7.160 255.255.255.224 172.28.8.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.28.8.98 255.255.255.255 inside
http 172.28.7.0 255.255.255.224 lab
http 172.28.7.128 255.255.255.224 mgmt
http 172.28.7.32 255.255.255.224 work
http 172.28.8.0 255.255.255.0 inside
http redirect lab 80
http redirect work 80
http redirect mgmt 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group tpg request dialout pppoe
vpdn group tpg localname jmontes
vpdn group tpg ppp authentication pap
vpdn username jmontes password *****
dhcpd address 172.28.8.159-172.28.8.171 inside
dhcpd dns 203.12.160.35 203.12.160.36 interface inside
!
dhcpd address 172.28.7.40-172.28.7.41 work
dhcpd dns 203.12.160.35 203.12.160.36 interface work
dhcpd enable work
!
dhcpd address 172.28.7.5-172.28.7.6 lab
dhcpd dns 203.12.160.35 203.12.160.36 interface lab
dhcpd enable lab
!
dhcpd address 172.28.7.135-172.28.7.136 mgmt
dhcpd dns 203.12.160.35 203.12.160.36 interface mgmt
dhcpd enable mgmt
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list http-list2
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map http-map1
class http-map1
set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:079b0329cbbeff90893706973fbb3369
: end

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

andrew.prince — Thu, 08 Jul 2010 20:43:49 GMT

add - sysopt connection tcpmss 1300

This should get things going for you.

HTH>

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

Joe Montes — Tue, 13 Jul 2010 01:21:45 GMT

Hi Andrew,

Thanks for the reply but have not had any success when I configured it with what you have suggested. I previously had an entry in there and did some changes to the value but still had issues accessing other web sites. I will attempt to try it again tonight and see how far I get.

Regards,

Joe

PMTU-D packet 1420 bytes greater than effective mtu 1396,

Gregory.Fields — Wed, 23 Oct 2013 18:10:03 GMT

Hi Andrew -

I was having the same problem and the fix you recommended worked.

add - sysopt connection tcpmss 1300

Thanks,

topic Re: PMTU-D packet 1420 bytes greater than effective mtu 1396, in Network Security

PMTU-D packet 1420 bytes greater than effective mtu 1396,

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

PMTU-D packet 1420 bytes greater than effective mtu 1396,