Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
3
Helpful
1
Replies

Internet connectivity problem

Go to solution
Harutyun Hakobyan
Level 1
Level 1

‎03-06-2013 06:00 AM

Hi all,

From our branches I can't open some sites (e.g. yahoo.com, microsoft.com,...), but I can open google.com and others. Branch routers (Cisco 878) have IPsec site-to-site VPN with Head office which connects to internet. From Head office I can open all inetrnet sites.

IPsec Transform Set is 

crypto ipsec transform-set XXX esp-aes 256 esp-sha-hmac

inetrface tunnel X

ip mtu 1400

tunnel mode ipsec ipv4

I think that problem is related to current MTU size 1400.

In this document (page 16) I found that overhead for  "esp-aes-(256 or 192 or 128) esp-sha-hmac or md5" is 73, so I changed MTU to 1427 (1500-73) which didn't help.

So what size of MTU to use?

And if it isn't related to MTU size, what to do?

Thanks


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-07-2013 05:24 AM

You would need to configure: ip tcp adjust-mss 1340 (on your LAN interface)

So it will negotiate for a smaller MSS value so when it goes through the tunnel, it doesn't go over 1400/1427 MTU that you have configured.

View solution in original post

1 Reply 1

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-07-2013 05:24 AM

You would need to configure: ip tcp adjust-mss 1340 (on your LAN interface)

So it will negotiate for a smaller MSS value so when it goes through the tunnel, it doesn't go over 1400/1427 MTU that you have configured.

Customers Also Viewed These Support Documents