Showing results for 
Search instead for 
Did you mean: 

In LAN-to-LAN VPN tunnel on router, packets exceeding 1500 maximum transmission units (MTU) are dropped




This document describes an issue faced by an user.


What is MTU?


The MTU can be defined as the maximum size of a single data packet. "bytes" is used to measure it. MTU for Ethernet is 1500 bytes. Some networks have larger MTUs, and some have small. But all physical technologies have fixed MTU value.


A list of some technologies with their MTU Values is mentioned below:


      Network                          MTU (bytes)


   16 Mbps Token Ring                 17914

   4 Mbps Token Ring                    4464

   FDDI                                        4352

   Ethernet                                   1500

   IEEE 802.3/802.2                      1492


Core issue


Packets come in with the df bit set, and when they get encrypted, they exceed the 1500 MTU size limitation.



  1. If you are running Cisco IOS  Software Release 12.2(2)T or later, you can enter the crypto ipsec df-bit clear command.


2.   If you are not able to enter the above command, then add the following commands:


      access-list 190 permit ip any any


      route-map cleardf permit 10

        match ip address 190 

        set ip df 0


      interface inside_interface_name

         policy route-map cleard