Thanks for your quick response.

it did not work.

my outbound connection is ADSL which MTU size is 1492, and the Ethernet MTU is 1500 by default, so if all encrypted packets DF bit set, then the packets which size is 1500 will be dropped while hit the ADSL link and will return the "packets need to be fragment, but DF bit set", unfortunately, firewall will deny the ICMP packets, so I don't know what happen next

Thanks

Indeed that's when I had the problem, the PPPoE reduces the mtu to 1492, but at the other end of the tunnel, is it ADSL as well ? if not, there is where the problem is.

thanks for your reply.

I did test for both side ADSL connection and one site is ADSL another side is T1, seems the packets dropped.

for the DF-bit clear feature, I read it before, but it is on the cisco router, not on the pix, do I need to clear the DF bit on the router?

here is the connection

---adsl modem----cisco router-----pix

my scenario

--LAN---PIX----cisco router---ADSL----internet--T1-PIX

so do I need clear the DF on the Cisco router?

First to verify the question in your original post - you are exactly correct that sending packets through IPSec reduces the effective MTU. This is due to the fact that IPSec adds extra header information to the packet as it encrypts the packet. So if the end station sends a 1500 byte packet it will require fragmentation. And if the packet is sent with DF set (as many TCP applications tend to do) then the packet will be dropped. If Path MTU Discovery worked this issue would be taken care of. But PMTUD depends on the ICMP message fragmentation required but DF set. And if the firewall is denying ICMP then PMTUD gets broken.

As you discovered setting the MTU on the interface is not an effective solution. The alternative of clear-DF can be used sometimes but with PIX as one of the endpoints I am not sure that clear-DF would work.

I have a solution which I have used and I generally prefer it to the clear-DF. It is the interface command ip tcp adjust-mss which allows the router to help manage the max segment size which will be negotiated. It only needs to be configured on one end of the connection, so you can do it on the router and not worry about the PIX. The value to use will depend on how you have configured some IPSec options. You may have to experiment a bit to find a value that will produce packets that do not require fragmentation. In an implementation at a customer where we are do IPSec with GRE tunnels we wound up specifying a value of 1375 which was very effective at preventing fragmentation.

HTH

Rick

Thanks for your help.

I have setup MTU size 1300 on each PIX, seems no help.

one thing I want to confirm,

after I change the MTU size to 1300 on both side, I think no fragment needed, but seems I still got some packets dropped.

one thing need to discuss,

even I setup "ip tcp mss xxx" on the cisco router, it can not help so much, because the traffic out of the PIX is regular TCP/IP traffic, Cisco router doesn't know it is encrytped or not, so e.g, if the packet is 1500 bytes hit the cisco router, if the router setup "ip tcp mss 1375" and cisco router will try to fragment the packet and DF bit set, so in my opinion, it can not help so much.

thanks

The thing is that the command I told you is for a router, and it's not the MTU of the interface, it's the IP MTU. Let me check if there is a way to change it in a PIX.

Don't mean to thread hijack, but I'm having exactly the same problem.

Scenario is a site to site VPN tunnel, with the tunnel itself terminating on two opposing PIXes, with Cisco Routers in front of them:

PIX - Router - Internet - Router - PIX

Packet dump during Windows file sharing showed excessive amounts of retransmits, and horrible performance (topped out at 30KB/sec, and the slower of the two links is capable of 394KB/sec).

The biggest packet I can pass between the two routers is 1272 bytes, and I've set the ip tcp adjust-mss on both routers (the interface facing the PIX) to 1250.

Performance is better (100KB/sec) and the amount of retransmits in has dropped. But, is there anything else I can do? It seems I'm very limited in that I'm terminating the tunnel on the PIXes and not the routers.