07-26-2001 06:09 PM - edited 02-21-2020 11:23 AM
I have http and https running through an ipsec tunnel. http works fine but https does not. our servers always turn the don't frag bit on, we have Solaris running Iplanet and NT with IIS. I ran a trace and when the https packets reach 1453 bytes and the ipsec headers are added the router throws the packets away because they exceed the mtu on the serial interface which has a frame circuit. Can I just increase the mtu size on the serial interface to fix or should I upgrade to 12.2 and use the command to change the df bit?
07-28-2001 12:08 AM
I would suggest upgrading the IOS - it doesn't say in your message where in the network fragmentation is taking place... channging the MTU on both
ends of one serial link may not change matters if
the fragmentation is taking place elsewhere...
-Rakesh
07-28-2001 10:04 AM
Actually, when the router drops a packet beacause of DF being set. A ICMP packet is ent by the router to the source. Hearing this ICMP the source will reduce the size of the packet being sent out. It might be a access-list or firewall is blocking this. Allowing this ICMP packets might help.
10-03-2001 06:34 PM
I fixed similar problem by running GRE with IPsec and using the command "ip mtu 1500" under the tunnel interface. Setup like this causes fragmentation to occur at the interface regardless of the DF bit set in your orginal IP packet.
Thx
11-19-2001 12:50 AM
It seems i have the same proplem.
Do you know what should be the problem?
I mean upgrading the IOS or changing the MTU size?
11-23-2001 01:31 PM
There are various ways you can solve it.
You can use policy routing (route-maps) to manually set the DF bit to 0. You can use the command "ip tcp adjust-mss 1476" on the LAN interface close to your clients - whenever Cisco releases 12.2(4)T which is supposed to contain it.
Someone has mentioned that when a packet hits the tunnel, an ICMP message gets sent back to the sending host. This is correct, but a lot of networks block ICMP messages at the firewall. This could prevent the communicating hosts from ever knowing there's a problem.
I've also heard from another source that the "ip mtu" command on the tunnel interface causes the physical interface to fragment the encapsulated packet. This seems to violate the RFC I read which states that DF bits are to be propagated up to encapsulating packets. But if it works...
So choose your weapon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide