Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
0
Replies

ASA MTU size per peer

aenaya@compugen.com
Level 1
Level 1

‎06-11-2019 09:11 PM - edited ‎02-21-2020 09:12 AM

I am adding a new branch and connecting it by VPN to ventral site. The central site is the hub site for VPN tunnels. The issue I am facing is that the new branch's Internet link has MTU 1452 (because of PPPOE) and the MTU of outside interface in the branch is set to 1452.

 

Is there any way to keep MTU as 1500 in outside interface in hub site and change the MTU for one peer only (the new branch)?

 

I am trying to avoid any changes in central site that may affect other branches.

 

Does it help if I enabled pmtu? currently, pmtu configuration is as below:

 

crypto ipsec security-association pmtu-aging infinite

 

below is a sample configuration

 

crypto map Crypto-Map 50 match address <new branch subnets>
crypto map Crypto-Map 50 set peer <new branch public IP>
crypto map Crypto-Map 50 set ikev1 transform-set ESP-3DES-SHA

crypto map Crypto-Map interface outside

 

unnel-group <new branch public IP> type ipsec-l2l
tunnel-group <new branch public IP> ipsec-attributes
ikev1 pre-shared-key !Site2Site!

0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card