In article , wrote: :I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS = :V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).
:What is the MTU value for them ?
See the 'sysopt connection tcpmss' option. It works in conjunction with the MTU: the MTU sets the maximum size of the *encapsulating* packets, and tcpmss effectively sets the maximum amount of TCP data that the PIX will try to pack into one encapsulating packet -- with the remainder of the room then available for the encryption and authentication headers and encapsulation layering.
:Do I set also the ISP Router for the same value of these PIXes ?
The ISP router should be the same MTU as the PIX.
Note: if you happen to be using PPPoE on the outside interface of your router, reduce both MTUs by 8 bytes to allow for the PPPoE overhead.