Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
0
Replies

Cisco ASA VPN and Fragmentation Issues

Jon Pletcher
Level 1
Level 1

‎06-09-2015 08:47 AM - edited ‎03-05-2019 01:38 AM

We have a Cisco ASA spoke and hub configuration for VPN access where a main 5510 is the hub for about 80 5505's.  In the past, with some ISPs we had to make the following changes:

 

sysopt connection tcpmss 1260
crypto ipsec df-bit clear-df outside

 

I got to wondering if I should be setting this on all of our remote 5505's for performance reasons.  

I've read an article about how to use the native Windows command prompt to ping with set MTU sizes, and then you can pinpoint exactly what is the largest MTU size you can set.  This is usually around 1390-1412 (with the overhead added).  

When I run this ping test with MTU sizes set, it seems that every remote location comes back with "Packet need to be fragmented but DF Set" when I use a number over 1400.

Should this be something I should be setting on each remote 5505?  And should I set it on the main 5510 as well?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card