Dear all
I have a problem with a customer who is not able to send traffic through his VPN tunnels when a link with reduced MTU is involved.
Normally Everything works fine when the connection
LAN<--->PIX<--->R1<--->Internet
with MTU 1500 on all links is used.
But in case of failure of this connection we use another way automatically:
LAN<--->PIX<--->R2<--(mtu 1460)-->Internet
And in this case, the VPN tunnels come up, but the applications are facing problems of course.
The PIX 506 is version Ver 6.3(5) and handles static site-to-site VPN session to different kinds of VPN-equipement.
My questions:
1. Is it possible to solve this problem entirely with proper configuration of the PIX alone?
2. If so, how exactly is one supposed to configure the PIX?
3. If not, what exactly is best practice to deal with this and make the tunnels work?
My customer knows already e.g.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
and tried a lot of things including the reduction of the MTU of the computer in the LAN itself.
Any hint is really appreciated.
Regards,
Grischa