MTU problem with IPsec tunnel

Harutyun Hakobyan · ‎07-16-2013

Hi all,

I have three tunnel interfaces, one main and two backup. MTU and MSS on all tunnel interfaces I have configured (Cisco 3825):

ip mtu 1400

ip tcp adjust-mss 1340

When 1st tunnel interface is up I have internet connnection, but when I shutdown 1st interface it shows this message and I lose internet:

*Jul 17 08:59:03.270: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1380, mtu=1342

When I shutdown 2nd interface, it also shows that message and no inetrnet connection.

What to do?

Thanks

Abhishek Purohit · ‎07-16-2013

Hi,

Well, to get to the bottom the issue, we would need the show-tech of the device. If not the complete one then just the show-version and details of show interface and VPN relevant configuration.

Possibly you can try the following and check if the issue gets resolved.

Configure "crypto ipsec df-bit clear" and re-configure
"tunnel-path-mtu-discovery".

Also, configure "ip mtu 1400" under the tunnel interfaces:

int tun X

ip mtu 1400

crypto ipsec df-bit [clear | set | copy]


Example:
Router(config)# crypto ipsec df-hit set


Sets the DF bit for the encapsulating header in tunnel mode for all interfaces.

*   The clear keyword clears the DF bit in the outer IP header, and the router may
fragment the packet to add the IP Security (IPSec) encapsulation.
*   The set keyword sets the DF bit in the outer IP header, however, the router may
fragment the packet if the original packet had the DF bit cleared.
*   The copy keyword has the router look in the original packet for the outer DF bit
setting. The copy keyword is the default setting.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269