Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
1
Replies

Large Retransmission rate for FTP over IPSec VPN

shackma39
Level 1
Level 1

‎09-28-2004 10:49 PM - edited ‎02-21-2020 01:22 PM

I have a VPN running between 2 PIX-515e's across a 10Mb link. The performance of FTP is very ordinary and from a sniffer trace I can see a large amount of retransmissions. I am also getting the following syslog messages:

%PIX-6-602101 PMTU-D packet 1500 bytes greater than effective mtu 1444, dest_addr=10.0.202.170, src_addr=10.0.212.170, prot=icmp

I have altered the MTU settings on both hosts to 1400 in an attempt to stop this occurring but it hasn't. The hosts are running AIX.

On the PIX firewalls the output of show ipsec sa shows effective MTU at 1444 (1500 - 56 IPSec overhead).

...

...

local crypto endpt........

path mtu 1500, ipsec overhead 56, media mtu 1500

....

....

The sniffer shows that the DF bit is always set in the FTP packets.

Is it a fair assumption to say that the retransmissions are occurring due to packets larger that effective MTU are being dropped and hence retransmitted?

If this is the case any ideas how to fix it?

Labels:
0 Helpful
1 Reply 1

bhose
Level 1
Level 1

‎09-29-2004 02:28 AM

Hi Mark,

Just a thought but I believe PMTU discovery is reliant on devices on the path sending back ICMP can't fragment messages to the sending host. If they are being sent and the pix is dropping them then this could be the issue.

Regards Brett

0 Helpful
Customers Also Viewed These Support Documents