MTU MSS DF Bit and Fragmentation

cchughes · ‎11-10-2006

I am running an encrypted link and want to check for and if necessary, remedy fragmentation.

I'm using two connected 6500's with VPN modules.

Using the NAM I sniffed the outbound physical interface and I see packets of various sizes but the biggest is 128bytes even during a massive file transfer. I'm assuming fragmentation but need to be sure.

Using ping I see the biggest packet allowed without fragmentation is 1472.

My primary intent is to first determine if there is a fragmentation issue. If there is I'll probably follow up with questions on which command to use and where to put it. I assume that I would use either the physical outgoing interface(currently MTU=1500) or the inside crypto interface(current MTU=4500)

1. How do I determine if there is a fragmentation issue

2. Which command to use and where?

Any help would be appreciated.

wong34539 · ‎11-16-2006

Issue with large packets that have the don't fragment bit set that become too large with the additional overhead of ipsec.

use command "ip tcp adjust-mss ",TCP MSS (Maximum segment size) sufficiently low enough that the packet isn't fragmented.

you may need to clear the df-bit entirely (it's a less efficient method, but it works). For the router, you can do so via "crypto ipsec df-bit clear".

Try these links for more info:

http://cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

http://www.cisco.com/warp/public/105/pmtud_ipfrag.html

http://www.cisco.com/warp/public/105/38.shtml