Hi Peter,

The ISP is an UAE provider.  Its difficult to get any information from them.  They are only providing Internet service only.

All they said was they have enabled the VPN protocols we requested and they recommended we set the MTU to 1440 for ip fragmentation.

The Nortel VPN is a managed VPN service by another provider.   This initiates the site-to-site vpn tunnels between all offices.

I am not sure why the MTU is set to 1788,  this is what they told me and what is being used on all our Nortel VPN devices we have in all offices.

All inter-office traffic i.e email , docs etc.. will be via VPN however internet traffic will routed directly out of ISP router.

This is the first fibre network we are connecting to and I guess they are reluctant to make any changes to their network.

Is it worth changing the MTU if its still going to cause problems ?  

or shall I persist and getting them to set the standard MTU on their network ?

Thanks,

Jay

Hello Jay,

Let's go over some of the information you have provided.

All they said was they have enabled the VPN protocols we requested and 
they recommended we set the MTU to 1440 for ip fragmentation.

It is necessary to interpret this statement properly. It could mean two different things:

• Either that the ISP router will not accept packets larger than 1440 bytes
• Or that the ISP router will accept normally sized packets up to 1500 bytes and they only suggested lowering the MTU, knowing you are about to deploy a VPN, so that some of your devices do not need to perform fragmentation because of the added overhead

Is it worth changing the MTU if its still going to cause problems ?   
or shall I persist and getting them to set the standard MTU on their network ?

I do not think you could actually persuade them to change their MTU settings across the network. The primary question is whether the MTU of 1440 bytes is their recommendation for your devices, or whether it is the upper size limit of a packet on the link between your router and the ISP router, as I indicated earlier.

If their router is actually fine with 1500 byte packets then you do not have to modify anything because your 1800 router will be performing the fragmentation to 1500 bytes if necessary (the MTU of 1500 is the default). If, on the other hand, the ISP's MTU setting is 1440 bytes then you must change your settings on the 1800 router as well, otherwise packets larger than 1440 bytes would be dropped by the ISP.

I suggest starting by better understanding of the requirement-or-recommendation of your ISP about the MTU of 1440 bytes. Can you talk to them and ask for more precise explanation?

Best regards,

Peter

Hello Peter,

This issue has now been resolved.

After serveral emails over the weekend , managed to finally get ISP to keep the standard MTU configuration.

The VPN was still not coming up but this was due to a routing issue with Cisco 1800.

Cisco had a default route pointing to external interface FE0/0 and the route had to be changed to point to ip address on external interface connecting ISP router.  This is a point to point ip address /32    (.239 - ISP and .230 Cisco1800).

>> ip route 0.0.0.0 0.0.0.0 FastEthernet0/0   - This statement works with original ISP router but not the new Router.

interface FastEthernet0/0
description connected to Internet
ip address x.x.x.230 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description connected to LAN
ip address x.x.x.x 255.255.255.240
duplex auto
speed auto
!
ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.229  - VPN works with this static route.
!

Not sure what the difference is any ideas ?

Jay

>> ip route 0.0.0.0 0.0.0.0 FastEthernet0/0   - This statement works with original ISP router but not the new Router.

Because the other ISP was supporting proxy-arp, but the new one (correctly) doesn't.

Never point routes at LAN interfaces. Always use IP address.

Ok now I understand Thank you !

Thank you both for your replies very helpful.