Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2594
Views
5
Helpful
1
Replies

Problem with MTU and dropped packets over site-to-site VPN tunnels

ABaker94985
Spotlight
Spotlight

‎04-21-2022 08:51 AM

We have a 5506-x that we recently upgraded to 9.16.2 and then 9.16.3 but then had to revert back to 9.12.4 because of a long-standing bug that's been around since 9.14 that was supposedly fixed but isn't. We ended up reverting back to the initial 9.12.4, but we're now having a problem now where packets under 990B are dropped over the site-to-site VPN tunnel if the do not fragment bit is set. This is running the same configuration as before. There is no problem with the larger packets to the Internet. We have several dozen VPN tunnels connected to the same headend, which are not having a problem. I'm not sure where to look next, so any thoughts what I might check? The interface MTUs are set to 1500B.

 

mtu outside 1500
mtu inside 1500

 

Thank you.

1 Reply 1

MHM Cisco World
VIP
VIP

‎04-21-2022 10:58 AM

show crypto ipsec sa 

…..

PMTU time remaining (sec): 0, DF policy: copy-df <- check DF policy 

check the df policy with command 

crypto ipsec df-bit 

try clear df-bit 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card