04-14-2008 11:24 AM - edited 03-03-2019 09:33 PM
Hi,
I have a Cisco 877 at a remote site connected to an ASA over an IPSec VPN (AES-256/sha/pre-shared key) and have just used the "test vpn connection" option on the SDM of a Cisco 877.
It says the tunnel is fine but recommends I add the "crypto ipsec df-bit clear" command, however I did add it to the dialer 1 interface of the 877 and ran the test again, but it still says I need to add it.
What interface is this or do I need to add it to the ASA somewhere instead?
04-14-2008 11:52 AM
I haven't used SDM and hence, can't comment on which interface does it want you to clear the df-bit but dialer interface sounds logical to me. You can configure the 'crypto ipsec df-bit clear' command in the global configuration mode and this would apply this setting to all interfaces and try the test.
HTH
Sundar
04-15-2008 05:56 AM
Just added it to the global config an on the Cisco 877 and it still says I need to add it. Could it be the ASA side?
04-15-2008 06:14 AM
You can try adding the command to the ASA. Are you having problems sending data through the L2L VPN tunnel. I have found the 'ip tcp adjust-mss 1440' command to be very helpful is addressing MTU problems over IPSEC connections. Configure this command under the LAN facing interface on the 877 and check your connection between the hosts on the LAN instead of using the SDM to test.
HTH
Sundar
04-15-2008 06:16 AM
It all seems to be fine, but the SDM recommends this after doing a test of the tunnel.
Should I add that to the global config of the ASA?
I've added 'ip tcp adjust-mss 1440' tot he VLAN 1 of the 877.
04-15-2008 06:25 AM
It doesn't hurt to use the df-bit clear command to the global configuration of the ASA.
04-15-2008 07:06 AM
When I do it's ask what interface:
ASA5520(config)# crypto ipsec df-bit clear ?
configure mode commands/options:
Current available interface(s):
DMZ1 Name of interface GigabitEthernet0/2.6
inside Name of interface GigabitEthernet0/1
management Name of interface Management0/0
outside Name of interface GigabitEthernet0/0
Would it just be the outside?
04-15-2008 07:18 AM
That would be correct if your VPN connection terminates on the outside interface.
HTH
Sundar
04-15-2008 07:31 AM
Added to the outside but that request to add still remains, nevermind.
Guess it's no problem being in there?
04-15-2008 07:43 AM
I wouldn't worry about it. Especially, since your VPN tunnel seems to be up and passing traffic and users aren't having any problems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide