Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
1
Replies

MTU discovery

CSCO10685980
Level 1
Level 1

‎02-25-2006 01:50 AM - edited ‎03-09-2019 02:03 PM

PiX - IoS 7.0

There is any option for MTU discovery for ipsec vpn tunnels or only static?

THX

Laptom

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎03-02-2006 12:48 PM

IPSec encapsulation with Path MTU Discovery (ICMP)

The VPN 3002 fragments tunneled packets that would exceed the MTU setting during encapsulation. For this option, the VPN 3002 drops large packets that have the Don't Fragment (DF) bit set, and sends an ICMP message "Packet needs to be fragmented but DF is set" to the packet's initiator. The ICMP message includes the maximum MTU size allowed. Path MTU Discovery means that an intermediate device (in this case the VPN 3002) informs the source of the MTU permitted to reach the destination.

If a large packet does not have the DF bit set, the VPN 3002 fragments prior to encapsulating, thus creating two independent non-fragmented IP packets, and transmits them out the public interface. This is the default policy for the VPN 3002 hardware client.

For this example, the PC that is the FTP client may use Path MTU Discovery to adjust the size of the packets it transmits to this destinat

0 Helpful
Customers Also Viewed These Support Documents