VPN3000 and Don't Fragmet bit set in 1500 bytes packets

dmitry · ‎07-18-2002

I have a problem resolving the following situation: there is a W2K application server (WEB site) on the internal network. A VPN remote user connects to the VPN3030 concentrator and goes to WEB site. WEB site replys with the 1500 byte packets (MTU) and since it is Windows, sets up DF bit. These packets are to big for the VPN3030 to put them into the IPSec tunnel (IPSec has about 60 bytes of overhead), it cannot fragment them because of DF, it cannot clear the DF bit (IOS routers can do it now), it does not send ICMP unreacheble towards WEB server to trigger MTU discovery process on it.

W2K has a feature called "black hole" detection for the situations exactly like this where W2K monitors TCP retransmission to realize that 1500 bytes is to big but this feature does not work. So the only option left is to disable MTU Discovery in the registry of the WEB Server which clears the DF bit and sets MTU to 576 bytes. It works for one to ten servers but there is a lot more ?

Did anyone have the same problem with VPN3000 (SW 3.5.2) and how it could be fixed.

Thanks

edadios · ‎07-18-2002

There are no mtu settings that can be performed on the vpn3000 at the moment. It will however be supported on a future code release.

For now, you have to make sure the devices that interact with the vpn3000 have their mtu set correctly, instead of trying to negotiate with the vpn3000.

Regards,

dbaron · ‎07-26-2002

You must lower the MTU on the client machine to 1400 or below to stop fragmentation.

Cisco has no support for MTU adjustment on the 3000 series concentrators at this time and I don't think it is coming anytime soon.

Someone please prove me wrong and tell me the MTU adjustment feature on concentrators will be released soon.