Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
4
Replies

MTU on source host breaks connections to remote server

ryancisco01
Level 1
Level 1

‎07-31-2014 08:21 PM

Hi guys, heres my issue:

 

2 different servers at the remote site. Both different applications running on them. (web/rdp + others)

 

Cisco router doing an IPsec p2p tunnel

 

then here at the local side. if my MTU is set lower than 1300 I can connect to both remote hosts via https and rdp.

If my MTU is set to 1500, I cannot connect to either host via any application. I can still ping the hosts and I can still telnet on the open ports.

 

Not sure if its related to the VPN, I have the wireshark captures if it helps. a PC on the remote side can connect fine at any MTU size.

 

http://www.filedropper.com/mtuof1300

http://www.filedropper.com/mtuof1500

Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎08-01-2014 05:22 AM

Hi Ryan,

 

If the transit path is doing fragmentation , then you would surely need to make sure you are using the optimum MTU to pass the traffic across VPN properly.
You can follow this document to find out the optimum MTU which will allow stable communication across VPN tunnel.

 

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

nkarthikeyan
Level 7
Level 7

‎08-01-2014 05:33 AM

Hi Ryan,

 

Default MTU value set on ASA is 1500.... it can allow the maximum of 1500 bytes per unit...

So it is advised to keep the lesser MTU on the transmission segments..... but here we need to check the devices in that path... it shouldn't change the MTU value in between.....

 

I do see at one capture MTU value from the server is with 1312, where you set 1300...

I do see at another capture with a maximum value of app data with 1286 bytes...

I believe the intermediate device is modifying the packet length and there it is getting dropped....

 

Regards

Karthik

0 Helpful

ryancisco01
Level 1
Level 1
In response to nkarthikeyan

‎08-03-2014 04:51 PM

do you know an explanation, for this, I see it to most of my devices.

 

from my PC, with an MTU set of 1500 I can ping my default gateway with a max size of 1400. (with df set)

from the default gateway pinging back to the PC I can ping with a size of 1500 with df set.

 

I am seeing this behaviour everywhere, seems the direction of the ping, even on the same path makes a big difference.

0 Helpful

ryancisco01
Level 1
Level 1

‎08-03-2014 03:25 PM

Hi i think the file host has died, so here are new links with captures:

 

http://kdn.co.nz/ftpaccess/mtuof1500.pcapng

http://kdn.co.nz/ftpaccess/mtuof1300.pcapng

 

I have done some MTU tracing, all interfaces are running at 1500. However I do get some strange results with df pings getting dropped well below 1300 at certain points. What could be the cause of this? I don't understand how a smaller MTU would work where a larger one fails. what sort of device might muck around with packet sizes?

0 Helpful
Customers Also Viewed These Support Documents