Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
1
Replies

PIX to PIX VPN Tunnel Debug Error Messages.

mdelgado77@hotmail.com
Level 1
Level 1

‎05-15-2003 10:55 AM - edited ‎02-21-2020 12:32 PM

Hi ,

I created a IPsec tunnel between pix-1 and pix-2, sometimes I receive these messagges:

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=1500, eff_mtu = 1444

It seems the effective MTU is 56 bytes less than the set MTU. I get this debug on packets between 1444 and 1500, so I set the MTU at 1556, but it doesn't seem to help things.

Any informartion would be appriciated.

Best regards,

Armand

Labels:
0 Helpful
1 Reply 1

mostiguy
Level 6
Level 6

‎05-16-2003 05:48 AM

The MTU of ethernet is 1500, so setting it higher isn't going to work. Try lowering the MTU of the inside interface to 1400. That should allow all internal systems to use path mtu discovery to adjust to that value, and then they shouldn't send packets that are too big. This is really just a workaround. This link explains the issues in more detail. Do you allow ICMP to reach the firewall? It might be a path MTU discovery issue.

http://alive.znep.com/~marcs/mtu/

The reason you infrequently see the messages is that they likely only occur when client machines send packets that have the Don;t Fragment (DF) bit set.

0 Helpful
Customers Also Viewed These Support Documents