Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
0
Helpful
5
Replies

IPSEC and the DF bit

steve.miller
Level 1
Level 1

‎07-26-2001 06:09 PM - edited ‎02-21-2020 11:23 AM

I have http and https running through an ipsec tunnel. http works fine but https does not. our servers always turn the don't frag bit on, we have Solaris running Iplanet and NT with IIS. I ran a trace and when the https packets reach 1453 bytes and the ipsec headers are added the router throws the packets away because they exceed the mtu on the serial interface which has a frame circuit. Can I just increase the mtu size on the serial interface to fix or should I upgrade to 12.2 and use the command to change the df bit?

Labels:
0 Helpful
5 Replies 5

rbharania
Level 1
Level 1

‎07-28-2001 12:08 AM

I would suggest upgrading the IOS - it doesn't say in your message where in the network fragmentation is taking place... channging the MTU on both

ends of one serial link may not change matters if

the fragmentation is taking place elsewhere...

-Rakesh

0 Helpful

surendranv
Level 1
Level 1

‎07-28-2001 10:04 AM

Actually, when the router drops a packet beacause of DF being set. A ICMP packet is ent by the router to the source. Hearing this ICMP the source will reduce the size of the packet being sent out. It might be a access-list or firewall is blocking this. Allowing this ICMP packets might help.

0 Helpful

bsharma
Level 1
Level 1

‎10-03-2001 06:34 PM

I fixed similar problem by running GRE with IPsec and using the command "ip mtu 1500" under the tunnel interface. Setup like this causes fragmentation to occur at the interface regardless of the DF bit set in your orginal IP packet.

Thx

0 Helpful

eerand
Level 1
Level 1
In response to bsharma

‎11-19-2001 12:50 AM

It seems i have the same proplem.

Do you know what should be the problem?

I mean upgrading the IOS or changing the MTU size?

0 Helpful

sbirn
Level 1
Level 1
In response to eerand

‎11-23-2001 01:31 PM

There are various ways you can solve it.

You can use policy routing (route-maps) to manually set the DF bit to 0. You can use the command "ip tcp adjust-mss 1476" on the LAN interface close to your clients - whenever Cisco releases 12.2(4)T which is supposed to contain it.

Someone has mentioned that when a packet hits the tunnel, an ICMP message gets sent back to the sending host. This is correct, but a lot of networks block ICMP messages at the firewall. This could prevent the communicating hosts from ever knowing there's a problem.

I've also heard from another source that the "ip mtu" command on the tunnel interface causes the physical interface to fragment the encapsulated packet. This seems to violate the RFC I read which states that DF bits are to be propagated up to encapsulating packets. But if it works...

So choose your weapon.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents