MTU - Page 2

tmsundar81 · ‎09-18-2009

How is it possible a router sends 1448 bytes of ftp data (frame size is 1514) but not sending 1394 bytes of ftp data (frame size is 1460) over an ipsec tunnel, the router sends ICMP destination unrechable message to the source, the ipsec tunnel mtu is 1476..

Any idea about allowing ICMP destination unrechable message on windows firewall..

tmsundar81 · ‎09-21-2009

i have location A and location B, the problem in location A

the destination for both the location is same

the last hop is same for both the locations (ipsec tunnel)

Location A : source ip 152.144.175.35 and destination is 152.144.253.61)...

Location B : source ip 161.228.80.77 and destination is 152.144.253.61)...

router ip with ipsec tunnel : 152.144.75.244

tmsundar81 · ‎09-21-2009

Did u get the chance to look at the capture.. any idea of this behavior..

andrew.prince · ‎09-22-2009

In both captures of location A - packet 9 in the campture is an icmp "fragementation needed"

In the capture of location B - packet 9 is the same.

All the FTP data is being sent with the DF bit set, the frame sizes are to big for the VPN.

Do the VPN's terminate on the ASA/PIX devices?

tmsundar81 · ‎09-22-2009

In location B the ftp data size is 1448 and the corresponding frame size is 1512 and this happily passes through the tunnel, at the same time in location A the ftp data size is 1394 and the corresponding frame size is 1460 and this does not passes through the tunnel.. this is strange..

the tunnel terminates on the router..

andrew.prince · ‎09-22-2009

That is not how I read the packet captures, everything is not OK with the FTP data stream.

I suggest you either

1) Change the interface MTU

2) Depending on the routing platform use the tcp mss-adjust feature to a lower MSS in the TCP syn/syn ack.