Re: Fragmentation for DMVPN

hillegas · ‎01-03-2005

I have a 2651 connected to an 831 across GRE/Crypto tunnels. The 2651 is configured to support multiple 831 devices with DMVPN and hence is the hub site. The 831 is the spoke site. The GRE and crypto tunnels are up and operational. I'm able to pass traffic up until it meets the MTU threshold with the additional headers of GRE and crytpo encapsulations add to the original packet. The largest original packet the routers will pass is approximately 1410 bytes. I don't want to set the private side LAN interface MTU less than 1500. I would prefer to configure the crypto clear df-bit and have the routers take care of fragmentation/re-assembly. However, I have not been able to configure the router to have it frament/re-assemble. With DMVPN, the 2651 doesn't have a crypto map applied to its public interface, so I can't have it ignore the DF bit. However, I tried an extended ping and did not have the DF set, and the 2651 is not fragmenting and re-assembling. Any help would be appreciated.

hillegas · ‎01-03-2005

Some additional info:

The 831 to 2651 works fine when both are connected directly to the Internet. When connected directly to the Internet, the payload traffic is passed and is fragmented and re-assembled over ESP. However, when the 831 is connected to a Linksys WRT54G, ESP traffic does not traverse through the linksys. After timing out on the ESP traffic, the routers try to utilize NAT-T (Non-isakmp, UDP port 4500) to pass the payload traffic. This also works, unless the MTU is greater than 1410 bytes. I did and extedned ping from the 831 with the destination the tunnel's IP address of the 2651, while debugging ICMP's on the 831 and 2651. The 2651 responded:

time exceeded (reassembly) sent to 831 IP address.

Thanks,

Todd