Hi, all
I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS = V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).
What is the MTU value for them ?
Do I set also the ISP Router for the same value of these PIXes ?
Thank you Benson
The default MTU size for standard ethernet interfaces is usually 1500. So usually there is no need to worry about that. For better performance, especially if you have traffic that uses large packets, it might be useful to increase the MTU size. But this does only help if all network components along the way have the same or a larger MTU size, otherwise the packet will be fragmented somewhere along the way.
Now as to VPN: an IP packet with a size of 1500 that is encoded in a VPN packet results is a somewhat larger packet size, eg. 1625 or so. This will then result in fragmentation which in turn causes trouble when decoding the packet. But the Pixen should take care of that if they are the endpoints of the tunnel.
Regards, Christoph Gartmann
In article , wrote: :I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS = :V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).
:What is the MTU value for them ?
See the 'sysopt connection tcpmss' option. It works in conjunction with the MTU: the MTU sets the maximum size of the *encapsulating* packets, and tcpmss effectively sets the maximum amount of TCP data that the PIX will try to pack into one encapsulating packet -- with the remainder of the room then available for the encryption and authentication headers and encapsulation layering.
:Do I set also the ISP Router for the same value of these PIXes ?
The ISP router should be the same MTU as the PIX.
Note: if you happen to be using PPPoE on the outside interface of your router, reduce both MTUs by 8 bytes to allow for the PPPoE overhead.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.