Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
2
Replies

MTU on outside Interface

f-cagica
Level 1
Level 1

‎07-24-2011 04:12 AM - edited ‎03-09-2019 11:37 PM

Hello experts,

i have a strange issue on a link between two ASA5510: both ASAs are interconnected by a P2P Fastethernet link, and the traffic between both ASAs is being secured by a L2L IPsec tunnel. The configured MTUs are 1500, however packets bigger than 1020byte are being dropped. IOS is 8.0(5). I didn't find so far any CAVEAT describing it. Does anyone know about this issue?

Thank you

Fernando

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎07-24-2011 07:25 PM

Fernando

It is a pretty well recognized issue that when you run traffic through an IPSec VPN that the VPN processing adds additional encapsulation to the frame. If the original data packet was 1500 bytes and then we run it through the IPSec encryption process the result is a frame that is larger than 1500 and it causes problems.

You can try to control the traffic to keep the MTU smaller or you can try to clear the DF bit so that the frames can be fragmented.

HTH

Rick

HTH

Rick
0 Helpful

f-cagica
Level 1
Level 1
In response to Richard Burts

‎07-24-2011 10:18 PM

Rick,

we are talking about a difference of 380Bytes OH... As far as i know with IPsec i can expect like 56-60Bytes extra OH. Now, from the peer FW i can't run a ping vetween both Outside interfaces with more than 1020Bytes. The ping is not encapsulated and the DF bit is not set.

Br,

Fernando

0 Helpful
Customers Also Viewed These Support Documents