ASA adjust mss for dsl

davidbuit · ‎02-12-2007

I have a site to site VPN over a DSL. My DSL line terminates on an 877 router on the one end and a pix 506 on the other end. I have a site-to-site VPN from an ASA on the other side of the 877 and the 506. I have having problems running certain application across this VPN and I believe it is related to the MTU permitted over DSL. I know on the 877 you can use the ip tcp adjust mss to change the MTU to the required size, but I have done this and it doesn't appear to have helped. Is it possible to adjust the MTU on the ASA or on the site-to-site VPN config to get this to work?

Thanks for your assistance

lgijssel · ‎02-13-2007

The security appliance supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the security appliance cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.

The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f573.html#wp1771252

Regards,

Leo