Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4410
Views
0
Helpful
2
Replies

Howto force MTU fragmentation, ASA5505

alig.norbert
Level 4
Level 4

‎09-16-2009 04:41 AM - edited ‎03-11-2019 09:16 AM

Hi all,

I have an ASA5505 with a PPPoE WAN connection. In the last days, I receive packets with a 1500bytes MTU size with the "don't fragment" bit set.

The weird thing is, the PPPoE can handle only 1492bytes.

Here the log:

%ASA-6-602101: PMTU-D packet number bytes greater than effective mtu

number dest_addr=dest_address, src_addr=source_address, prot=protocol

This message occurs when the security appliance sends an ICMP destination unreachable message and when fragmentation is needed, but the "don't-fragment" bit is set.

Here the interface settings on the firewall:

....

mtu inside 1500

mtu outside 1492

....

sysopt connection tcpmss 1492

....

how can I force to defragment this packet? The ISP tells me that the problem is on the firewall.....

Thanks,

Norbert

Labels:
0 Helpful
2 Replies 2

gneltnor
Level 4
Level 4

‎09-16-2009 10:31 AM

You may have to lower your tcpmss MTU or set ip df value. This documentation should help, it states it is for use with VPN but the same policies should apply:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

0 Helpful

alig.norbert
Level 4
Level 4
In response to gneltnor

‎09-16-2009 11:47 AM

Thanks for the reply.

I checked this document as well.

Use a lower MSS (sysopt connection tcp-mss 1300) didn't fix it. set ip df only works for IOS, not on ASA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card