Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1689
Views
0
Helpful
3
Replies

Site to Site VPN MTU Error

MikeTomasko
Level 4
Level 4

‎06-05-2009 06:00 AM - edited ‎03-04-2019 04:59 AM

I was playing around with SDM on my router and tested my VPN tunnel. I got the following error:

Failure Reason(s)

A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.

Recommended Action(s)

1)Contact your ISP/Administrator to resolve this issue.

2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.

The VPN works fine though. I found this on Cisco: http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml I tried applying it to my ethernet interface that is connected to my cable modem, but I still got the error when testing. Do I need to reboot or do I need to apply to that command to another interface? I tried setting it to 1420 and 1200. Still got the error when testing. Thanks!

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎06-05-2009 09:54 AM

Mike

The article for which you gave the link has several suggestions. You have not specified which of the several suggestions that you used. The suggestion that I find the most useful is to use the ip tcdp adjust-mss command and I will assume that this is what you did. If not clarify what you did and we will start over again.

I find that ip tcp adjust-mss is effective in resolving the fragmentation issue for a lot of traffic going through VPNs. But it is effective only for TCP traffic. Since the error message in the SDM test specifies that it is using ping (not part of TCP) then the SDM test would still see an error even though your VPN is working pretty well. There is no need to reboot. The only other commands that I can think of would be the commands listed in the article to adjust the MTU (and I do not believe that they are worth it).

HTH

Rick

HTH

Rick
0 Helpful

MikeTomasko
Level 4
Level 4
In response to Richard Burts

‎06-05-2009 11:27 AM

ip tcp adjust-mss is the command I tried on several of my interfaces. Still got that 1 send error.

This is all for a test lab and I was just playing with SDM and found the tunnel test. So you think it's nothing worth worrying about trying to fix?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MikeTomasko

‎06-05-2009 11:31 AM

Mike

If the only symptom is that the SDM test complains, then I do not believce that it is worth trying to fix it. If there are other symptoms then perhaps it might be worth it.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card