Re: MTU problems with Cisco IPsec and NAT traversal

jurrien · ‎09-07-2003

Hi,

At the moment I'm having trouble with MTU using NAT traversal and LAN-to-LAN VPN tunnel. For example it isn't possible to send out ICMP packets with a size between 1450 to 1500 bytes. This will run Lotus Notes and Windows 2000 active directory replication into problems.

Resetting the DF bit helps in some occasions but not in all. Rerouting the traffic accross a loopback interface with a smaller MTU doesn't help either. I've tried several IOS releases but in vain.

The equipment I'm using are: Cisco VPN3030 concentrator and Cisco 1721 routers.

Anyone has any idea?

Thanks in advance!

Jurrien

lucifuge · ‎09-07-2003

Have you got (or tried) a ip tcp adjust-mss 1452 or ip adjust-mss 1452?

Play with the size, and I don't remember which version of that command is correct for a 1721. Also, are you running 12.3? I had some serious PMTUD issues with site-to-site GRE over IPSec, and simply rolled back to 12.2 as I didn't have the time to properly troubleshoot.

jurrien · ‎09-11-2003

According to the website http://www.dslreports.com/tweaks the connection had a low send and receive MTU. After upgrading the ADSL modem/router the MTU got higher.

I've added ip tcp adjust-mss 1300 to the LAN internal ethernet card and ip mtu 1300 to the external ethernet card connected to the ADSL modem/router. The DF bit will not be cleared anymore.

Now the problem seems to be disappeared: after almost 24 hours I have no stalled connections to external Lotus Notes servers anymore.

The 1721 is running IOS version 12.2-15T.

Thanks,

Jurrien

ashleyw · ‎12-12-2003

Global config mode

crypto ipsec df-bit clear

should do the trick, if it's the same problem I had yesterday.

jurrien · ‎12-15-2003

Thanks, last week I've tried this command too and it worked. You can see with "show ip traffic" that the numbers of "couldn't fragment" packets is not increasing anymore.