Fragmentation issues with site-to-site VPN|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by Dan24 on July 2, 2009, 3:01 pm
Please log in for more thread options
I'm trying to set up a tunnel between a Checkpoint Safe@Office 500 device to a Cisco 837 router. I've used SDM to set up the tunnel and everything seemed to work and ping shows that the connection is stable. But I then noticed the connection is very slow and several services complained of connection failures. Running the test in SDM, I get the following output: "A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets." SDM also suggests I can use crypto ipsec df-bit clear to resolve this. I tried lowering the MTU on the Cisco (issued ip mtu 1400 on the Dialer0 interface) and also tried lowering the MTU on the Checkpoint device but no still no success. Although I'm a software developer I'm not very familiar with CLI so please don't be brief if you suggest making any changes on the Cisco ;) Here's the current config: http://pastebin.com/m6785596 Thanks in advance, Dan | ||||||||||
|
Posted by Thrill5 on July 5, 2009, 10:51 pm
Please log in for more thread options past this hurdle. The problem is that MTU on a TCP connection is negotiated with the end-points of the connections and is usually 1500 bytes (the MTU of and Ethernet network) without any regard of the MTU along the path. If the MTU of a path in the middle of the connection is less than this, then packets are dropped if the df bit (do-not fragment bit) is set. The end-points can figure out that the MTU of the path in the is lower than the end-points using MTU path discovery, but this needs to be supported (or enabled) on the endpoints. A tunnel puts and IP packet within an IP packet, so the MTU of the inner packet is 20 bytes smaller than the MTU of the outer packet. Lowering the MTU on interface doesn't fix the problem. Enabling "df-bit clear" will fix the problem because it will fragment the packets even if the do-not-fragment bit is set. | ||||||||||
| Similar Threads | Posted |
| Fragmentation issues with site-to-site VPN | July 2, 2009, 3:01 pm |
| Packet fragmentation | April 25, 2006, 3:07 pm |
| Packet fragmentation | July 27, 2006, 3:28 pm |
| Frame Relay fragmentation and interleaving | May 11, 2006, 4:42 pm |
| Need Info abt Frame relay fragmentation header | September 4, 2006, 2:27 am |
| 503 dmz+vpn issues | December 14, 2005, 11:19 am |
| 503 dmz+vpn issues | December 14, 2005, 11:19 am |
| NAT issues | March 12, 2007, 9:29 pm |
| VPN Issues on 837 | March 23, 2007, 9:08 am |
| ASA OS QA issues?? | May 30, 2007, 1:18 pm |
| BGP issues | June 27, 2008, 3:59 pm |
| Cisco VPN issues | August 2, 2005, 6:30 pm |
| VLAN Issues | September 22, 2005, 4:18 pm |
| IOS ipsec issues | October 11, 2005, 2:59 am |
| PIX 501 newbie (VPN issues) | October 31, 2005, 4:38 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>
> I'm trying to set up a tunnel between a Checkpoint Safe@Office 500
> device to a Cisco 837 router. I've used SDM to set up the tunnel and
> everything seemed to work and ping shows that the connection is
> stable. But I then noticed the connection is very slow and several
> services complained of connection failures. Running the test in SDM, I
> get the following output:
> "A ping with data size of this VPN interface MTU size and 'Do not
> Fragment' bit set to the other end VPN device is failing. This may
> happen if there is a lesser MTU network which drops the 'Do not
> fragment' packets."
> SDM also suggests I can use crypto ipsec df-bit clear to resolve this.
> I tried lowering the MTU on the Cisco (issued ip mtu 1400 on the
> Dialer0 interface) and also tried lowering the MTU on the Checkpoint
> device but no still no success.
>
> Although I'm a software developer I'm not very familiar with CLI so
> please don't be brief if you suggest making any changes on the
> Cisco ;)
> Here's the current config:
> http://pastebin.com/m6785596
>
> Thanks in advance,
>
> Dan