Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
0
Helpful
3
Replies

VPN can't send packets larger than 1418 bytes

benlemasurier
Level 1
Level 1

‎05-06-2011 01:38 PM

Recently I've been having issues with our site to site vpn, certain connections will hang, I seem to have narrowed the problem down to the packet size:


ben:~$ ping -c 1 -s 1418 spino

PING spino (10.10.10.1) 1418(1446) bytes of data.

1426 bytes from spino (10.10.10.1): icmp_req=1 ttl=61 time=31.1 ms

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 31.113/31.113/31.113/0.000 ms

ben:~$ ping -c 1 -s 1419 spino

PING spino (10.10.10.1) 1419(1447) bytes of data.

1 packets transmitted, 0 received, 100% packet loss, time 0ms


ben@tuberculosis:~$

So, a packet with a size of 1418 bytes goes through without any problems, but at 1419 bytes it fails! Any thoughts?

Labels:
0 Helpful
3 Replies 3

fgoodwin
Level 1
Level 1

‎05-09-2011 04:20 AM

Your problem is probably some where in the path to you VPN end points a device is not allowing packet fragmentation.

The link below explains the problem.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

The link gives a decent explanation and gives the info on how to calculate what each vpn type

will use as overhead on each packet.

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎05-09-2011 05:52 AM

Hi,

Your IPsec dosnt allow packet fragmentation,

Can you please try this command on the security appliance and let us know:

(crypto ipsec df-bit clear-df)

Regards,

Mohamed

0 Helpful

nareth_norung
Level 1
Level 1

‎05-09-2011 06:50 PM

Dear Ben,

You can try to change IOS to ASA Version 7.2(4) !

Best Regards,

Norung

0 Helpful
Customers Also Viewed These Support Documents