Best MTU value for our VPN tunnel
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on October 11, 2005, 10:39 pm
Please log in for more thread options I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS = V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)). What is the MTU value for them ? Do I set also the ISP Router for the same value of these PIXes ? Thank you Benson | |||||||||||||||||||
|
Posted by Christoph Gartmann on October 12, 2005, 4:02 am
Please log in for more thread options The default MTU size for standard ethernet interfaces is usually 1500. So usually there is no need to worry about that. For better performance, especially if you have traffic that uses large packets, it might be useful to increase the MTU size. But this does only help if all network components along the way have the same or a larger MTU size, otherwise the packet will be fragmented somewhere along the way. Now as to VPN: an IP packet with a size of 1500 that is encoded in a VPN packet results is a somewhat larger packet size, eg. 1625 or so. This will then result in fragmentation which in turn causes trouble when decoding the packet. But the Pixen should take care of that if they are the endpoints of the tunnel. Regards, Christoph Gartmann -- Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452 Immunbiologie Postfach 1169 Internet: gartmann@immunbio dot mpg dot de D-79011 Freiburg, Germany http://www.immunbio.mpg.de/home/menue.html | |||||||||||||||||||
|
Posted by Walter Roberson on October 12, 2005, 4:28 am
Please log in for more thread options :I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS =
:V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)). :What is the MTU value for them ? See the 'sysopt connection tcpmss' option. It works in conjunction with the MTU: the MTU sets the maximum size of the *encapsulating* packets, and tcpmss effectively sets the maximum amount of TCP data that the PIX will try to pack into one encapsulating packet -- with the remainder of the room then available for the encryption and authentication headers and encapsulation layering. :Do I set also the ISP Router for the same value of these PIXes ? The ISP router should be the same MTU as the PIX. Note: if you happen to be using PPPoE on the outside interface of your router, reduce both MTUs by 8 bytes to allow for the PPPoE overhead. -- Many food scientists have reported chocolate to be the single most craved food. -- Northwestern University, 2001 | |||||||||||||||||||
| Similar Threads | Posted |
| GRE Tunnel up/up Cannot ping tunnel interface | March 6, 2006, 3:55 pm |
| VPN tunnel | July 25, 2005, 8:10 pm |
| GRE Tunnel - one way ? | September 30, 2005, 6:39 am |
| Best MTU value for our VPN tunnel | October 11, 2005, 10:39 pm |
| NAT-T + VPN Tunnel | November 6, 2005, 4:06 am |
| 515 & 501 VPN Tunnel Help | April 4, 2006, 12:47 pm |
| GRE Tunnel | November 21, 2005, 8:38 pm |
| PLEASE HELP - GRE tunnel | September 5, 2006, 7:43 pm |
| NAT w Tunnel | January 25, 2007, 9:06 am |
| GRE tunnel and NAT | May 20, 2008, 10:52 pm |
| syslog through tunnel | February 11, 2005, 9:55 am |
| Help With 1710 to Pix 501 VPN Tunnel | July 24, 2005, 8:51 pm |
| tunnel interface ip | September 14, 2005, 1:37 pm |
| PIX 7.0.4 tunnel all traffic. | November 3, 2005, 12:27 pm |
| routing vpn tunnel | December 22, 2005, 10:53 am |
>
>I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS =
>V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).
>
>What is the MTU value for them ?
>
>Do I set also the ISP Router for the same value of these PIXes ?