I have a VPN running between 2 PIX-515e's across a 10Mb link. The performance of FTP is very ordinary and from a sniffer trace I can see a large amount of retransmissions. I am also getting the following syslog messages:
%PIX-6-602101 PMTU-D packet 1500 bytes greater than effective mtu 1444, dest_addr=10.0.202.170, src_addr=10.0.212.170, prot=icmp
I have altered the MTU settings on both hosts to 1400 in an attempt to stop this occurring but it hasn't. The hosts are running AIX.
On the PIX firewalls the output of show ipsec sa shows effective MTU at 1444 (1500 - 56 IPSec overhead).
...
...
local crypto endpt........
path mtu 1500, ipsec overhead 56, media mtu 1500
....
....
The sniffer shows that the DF bit is always set in the FTP packets.
Is it a fair assumption to say that the retransmissions are occurring due to packets larger that effective MTU are being dropped and hence retransmitted?
If this is the case any ideas how to fix it?