Hi fellows,

I did some research on purposeful reducing MTU on an IPsec enabled interface but must admit I can't see the benefit.

Here's the situation I have found:

ciscoasa/context1# sh run mtu
mtu outside 1450
mtu inside 1500

ciscoasa/context1# sh ipsec sa peer x.x.x.x | i mtu
path mtu 1450, ipsec overhead 58, media mtu 1500

I suppose the intent for lowering the mtu was to prevent fragmentation due to ipsec overhead but I can't have it confirmed in my tests.
For testing purposes, I have preserved the df-bit for outgoing packets, by setting:

crypto ipsec df-bit copy-df outside

If I send a ping over the tunnel with "df-bit size 1398", it gets through, icmp reply is received ok.

If I send a ping over the tunnel with "df-bit size 1399", it gets dropped, ping fails.

Unlike I expected, not 1450 but 1398 proved to be the max size allowed through without fragmentation. It seems that the ASA - in addition to the lowered mtu - also takes the ipsec overhead into account to compute the max size. BTW, the resulting ESP (IPv4) packet is 1448 bytes, which indicates that the actual overhead is 50 bytes.

If I send a ping to an Internet host (outside my encryption domain), the result is predictable with 1450 being max size.

In both cases, the 50 bytes subtracted from the original mtu (1500) looks like a loss to me, not benefit.

If I revert the mtu outside to 1500, I can send a ping with df-bit size 1446 over the tunnel but 1447 fails.

So what is the magic about reducing the mtu on the outside interface?

And why these discrepancies between the overhead declared (show ipsec sa) and found (MTU - max packet size)? 

Regards,

Rafal