Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7646
Views
4
Helpful
3
Replies

602101: PMTU-D packet 1420 bytes greater than effective mtu 1396,

pmet
Level 1
Level 1

‎03-30-2005 01:05 AM

I have established a vpn Pix to router and everything is working fine between the two sites except some dns communications.

When a DNS server (behind the router vpn) is trying to communicate with a DNS server (behind the pix vpn) is not working (transferring zones etc ) and from the pix I get the following message

602101: PMTU-D packet 1420 bytes greater than effective mtu 1396, dest_addr=xxx.xxx.xxx.xxx, src_addr=zzz.zzz.zzz.zzz, prot=tcp

Where xxx address is the dns behind the router and zzz the dns address behind the pix . The vpn tunnel is working because I can see other hosts from one site to the other .

Any ideas ? Has anyone else see this message ?

Thanks in advanced

Makis

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎03-30-2005 09:21 AM

I am slightly surprised that you are experiencing this problem only on DNS transfers. I would expect any TCP based application which uses large frame sizes would be impacted.

Path MTU Discovery (PMTU-D) is used by most IP stacks for TCP based applications to discover the optimum frame size for a TCP connection. Each end station sends a SYN packet at what it considers the optimum size and sets the Dont Fragment bit in the IP header. If the frame is too large for some segment along the path, the frame will be discarded and an ICMP message is generated to notify the end station to use smaller packets. This works well if the end station receives the ICMP error message. But lots of networks are denying the ICMP error message. And if the ICMP does not get through then the end station continues to use packets that are too large. This is particularly an issue in networks that use IPSec because IPSec adds extra headers and the resulting packet is larger than what the original packet was.

I believe that your PIX is saying that the effective length of packets that will work is 1396 but that it has received a packet of length 1420.

I have implemented VPNs at customer sites where this was an issue. There are several potential solutions. The one that I would suggest to you is a configuration option for the router. On its interfaces use this interface command: ip tcp adjust-mss

HTH

Rick

HTH

Rick

ehirsel
Level 6
Level 6

‎04-04-2005 10:02 AM

On the pix, run a show interface command and see if any interface has an mtu less than 1500. If that doesn't give you the answer, run a show config and somewhere in the output you will see the interfaces along with their mtu.

Let me know what you find.

pmet
Level 1
Level 1

‎04-04-2005 10:43 PM

Finally the problem solved by changing the ip tcp adjust-mss to the ethernet and dialer interface of the router .

I found a troubleshooting PMTU with ipsec tunnel and the most important with pppoe dsl connection.

Anyway thanks for your answers .

Makis

0 Helpful
Customers Also Viewed These Support Documents