Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1797
Views
0
Helpful
3
Replies

Jumbo Frame on ASA

frajo_kizhuvara
Level 1
Level 1

‎06-03-2021 07:37 AM

We want to enable Jumbo frames on ASA 5585-X and our last attempt caused an outage.
Below are cmd excuted in our last attempt.
jumbo frame-reservation
sysopt connection tcpmss 9096
mtu was set to 9216 on interface Trust and DMZ

Two interface on the ASA is port-channel and we have created sub interface.
Port-Channel1
Port-Channel1.10 Trust
Port-Channel1.20 Untrust
Port-Channel1.30 DMZ

we want to enable Jumbo frame only on interface Trust and DMZ.

So below is what I am trying to understand.
1. Did we missed anything in our last attempt for this to cause outage.
2. Can we enable Jumbo frame to only two subinterface, tcpmss cmd is not tied to a interface similar to mtu, so will it cause issue to interface on lower mtu say 1500.

0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎06-03-2021 01:54 PM

Jumbo frames are enabled globally but you need to also set the MTU for the individual interfaces you want to allow jumbo frames on. This is done on a per "named" interface basis, so you are able to do this on subinterfaces.  If jumbo frames are trying to exit an interface that only allows an MTU of 1500, for example, make sure that the DF bit is not set so the ASA is allowed to fragment the packet.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

frajo_kizhuvara
Level 1
Level 1
In response to Marius Gunnerud

‎06-04-2021 07:55 AM

Thank you Marius for the reply.

Last time we did as mentioned by you, enabled jumbo frame at global which required a reboot and then applied 9216 MTU to required name interface. We also configured tcpmss value to 9096 but still had an outage. 

Do you think the live traffic will be dropped due to the MTU change and initialize new connection. Since MSS is worked out in the initial tcp handshake I feel it will not cause an issue to ongoing traffic.

 

As mentioned I did checked with server team and they are not setting the DF bit.

Server team set Jumbo to 9000 and MSS captured in tcpdump is 8960

0 Helpful

frajo_kizhuvara
Level 1
Level 1
In response to Marius Gunnerud

‎06-09-2021 06:00 AM

Guess we now know what caused the problem when we enabled Jumbo frame on ASA.

We have ICMP blocked and below article suggest that may be the problem.

 

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html 

 

Next month in our maintenance window we will be scheduling the activity. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card