12-13-2013 12:38 PM - edited 02-21-2020 07:23 PM
I've noticed a Router recently with lots of fragmetnation issues, pretty much maxing out the 'ip virtual-reassembly' options. On the interface, which is acting the local peer, we are clearing the DF bit, and the same on the remote peer end.
Currently the 'ip mtu' on the interface is 1310. Now, if you take a IPSec packet which has a maximum of (52) byte header (I believe this is correct), and a new IP header since it's in tunnel mode, which will be needed for Source/Destination IP local peer to remote peer. I"m trying to figure out why all this fragmentation is happening.
If you use the Cisco VPN Client from a machine on this network, we don't see any issues (of course the Cisco VPN Client automatically sets its MTU), which is probably why this is happening.
it looks like we are receiving LOTS of fragmented packets, and is filling up the 'ip virtual-reassmebly' command so to speak. So this leads me to belive, that something is fragmenting packets, I just honestly don't know the best way to go about finding where this is coming from, since Peer to Peer is through te Internet, which obviousl I do not have control off.
12-14-2013 03:17 AM
I suggest not to clear the DF-bit, it is needed for end-to-end path mtu discovery.
Also you don't need to set the ip mtu parameter, an ipsec security association (or child sa for IKEv2) will automatically calculate the tunnel mtu and handle ip packets accordingly: fragment packets to the maximum tunnel mtu if DF is cleared or discard the packet and send a "packet too big" icmp to the sending host, allowing it to adjust the path mtu.
Allow icmp on th ecomplete ath and don't clear the DF.
Rgds,
MiKa
PS: I just noticed you set the ip mtu on the "interface, which is acting the local peer" - this will reduce the mtu of the tunnel itself, not the "tunnel payload". The tunnel payload is now 1310 minus the tunnel overhead.
12-14-2013 12:21 PM
Typically it's TCP-traffic that is using bigger payloads and needs to be fragmented. One solution to solve that is to use the "ip tcp adjust-mss" command to reduce the MSS to a value that fits into the VPN tunnel.
Sent from Cisco Technical Support iPad App
12-15-2013 10:31 AM
So what I"m getting out of this is....
1) I don't need to manually set the 'ip mtu' parameter, the IPSec will automatically calculate the tunnel mtu and handle ip packets accordingly (IKEv1).
1.1) Fragment packets to the maximum 'tunnel mtu' if DF is cleared
1.2) Or discard the packet and send an ICMP "Packet too big" tot he sending host, which will allow that tunnel
adjust the path mtu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide