Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
2
Replies

Changing the serial MTU with IPSec not working

jrogalski
Level 1
Level 1

‎08-19-2002 06:04 AM - edited ‎02-21-2020 12:00 PM

Hello,

I was looking to up the MTU set on the serial interfaces of our routers. The current setup (to one location) is as follows and works OK (except that large data transfers take a long time, which may be because of a small serial MTU):

crypto isakmp policy 1

hash md5

authentication pre-share

crypto ipsec transform-set transform1 ah-md5-hmac esp-des

crypto map ipsec-map 2 ipsec-isakmp

set peer 111.111.111.111

set security-association lifetime seconds 86400

set transform-set transform1

match address 111

access-list 111 permit ip any 10.11.129.0 0.0.0.255

interface Serial0/0

mtu 516

bandwidth 1544

ip address 222.222.222.222 255.255.255.252

ip access-group 190 in

crypto map ipsec-map

ip route 10.11.129.0 255.255.255.0 111.111.111.111

ip route 111.111.111.111 255.255.255.252 Serial0/0

Now, if I remove the MTU 516 from the serial interface and it goes to the default of 1500, all heck breaks loose. I could ping back and forth with a packet size of 3500 bytes, but windows browsing was down and applications would fail. Is 516 some sort of magic number that I may need to consider (a 1500 byte + IPsec packet divided by 3????). So I should try to set the serial MTU to 1548 (I did see a lot of drops due to encapsulation failure).? I did not have much time to test, since I did this on the production network and had to go back to the old 516 MTU in a hurry.

Any thoughts or suggestions would be appreciated. Thanks...

Labels:
0 Helpful
2 Replies 2

gmiiller
Level 1
Level 1

‎08-19-2002 06:45 PM

If you have an IOS that supports it, you can use:

Router(config)#crypto ipsec df-bit clear

If not add the following policy route-map to the config on your ethernet port:

route-map clear-df permit 10

set ip df 0

And turn on fast switching for policy routing on that interface, in the absence of match statements in the route-map, the df clear will apply to all traffic, and in the absence of set commands affecting forwarding, the traffic will then drop through to the standard routing table for forwarding decisions.

0 Helpful

jrogalski
Level 1
Level 1
In response to gmiiller

‎08-21-2002 04:25 AM

Thanks for the reply. To test to make sure that either the cyrpto df-bit clear command or the route-map is working, can a ping -f -l3500 [hostname] from a windows machine work as a test? Is there another method?

Thanks.

0 Helpful
Customers Also Viewed These Support Documents