Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

MTU issues with a VPN appliance connecting through FTD

Ricky Sandhu
Level 3
Level 3

‎01-16-2025 07:42 AM

Hi all,  I have a client PC which occasionally needs to upload large amount of data to a server at another company who we have an IPSEC VPN tunnel with.  I have attached a rough drawing of this setup.  We recently upgraded from an ASA to Cisco FTD appliance.  Client is sitting on the internal network connected to E1/1 and the VPN appliance sits inside the DMZ.  I am running into issues with the MTU.  From the client, I can't ping the server with packets larger than 1379 bytes.  Smaller packets have no issues getting through.

I understand IPSEC adds additional overhead which should be taken into account.  In the past, on IOS routers, I have been able to configure things like path MTU, and even decreased TCP MSS down to 1360 bytes but I have no idea how to do this on the FTD.  I did refer to Cisco documents and configured Flex policy where I changed the default TCPMSS on the FTD to 1360 however client is still having issues.  What am I doing wrong?  Please advise.  Thank you for your support.MTL-VPN.png

0 Helpful
3 Replies 3

ahollifield
VIP
VIP

‎01-16-2025 09:22 AM

Version?  Platform?  FMC or FDM?

0 Helpful

Ricky Sandhu
Level 3
Level 3
In response to ahollifield

‎01-16-2025 09:40 AM

Version 7.4.2.1 of FTD.  Running FMC version 7.4.2.1

Thanks

0 Helpful

MHM Cisco World
VIP
VIP
In response to Ricky Sandhu

‎01-18-2025 05:53 AM

Each VPN have it PMTU to dynamically adjust the MTU
the config of PMTU you can find in IPsec setting  
Advanced > IPsec > IPsec Settings
Enable Fragmentation Before Encryption
This option lets traffic travel across NAT devices that don’t support IP fragmentation. It doesn’t impede the operation of NAT devices that do support IP fragmentation.
Path Maximum Transmission Unit Aging
Check to enable Path Maximum Transmission Unit (PMTU) Aging, the interval to reset the PMTU of a Security Association (SA).
Value Reset Interval
Enter the number of minutes at which the PMTU value of an SA is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card