Fragmentation issues with site-to-site VPN

Hi,

I'm trying to set up a tunnel between a Checkpoint Safe@Office 500 device to a Cisco 837 router. I've used SDM to set up the tunnel and everything seemed to work and ping shows that the connection is stable. But I then noticed the connection is very slow and several services complained of connection failures. Running the test in SDM, I get the following output: "A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets." SDM also suggests I can use crypto ipsec df-bit clear to resolve this. I tried lowering the MTU on the Cisco (issued ip mtu 1400 on the Dialer0 interface) and also tried lowering the MTU on the Checkpoint device but no still no success.

Although I'm a software developer I'm not very familiar with CLI so please don't be brief if you suggest making any changes on the Cisco ;) Here's the current config:

formatting link
Thanks in advance,

Dan

Reply to
Dan24
Loading thread data ...

MTU issues on tunnels can be tricky to diagnose but you have already gotten past this hurdle. The problem is that MTU on a TCP connection is negotiated with the end-points of the connections and is usually 1500 bytes (the MTU of and Ethernet network) without any regard of the MTU along the path. If the MTU of a path in the middle of the connection is less than this, then packets are dropped if the df bit (do-not fragment bit) is set. The end-points can figure out that the MTU of the path in the is lower than the end-points using MTU path discovery, but this needs to be supported (or enabled) on the endpoints. A tunnel puts and IP packet within an IP packet, so the MTU of the inner packet is 20 bytes smaller than the MTU of the outer packet. Lowering the MTU on interface doesn't fix the problem. Enabling "df-bit clear" will fix the problem because it will fragment the packets even if the do-not-fragment bit is set.

Reply to
Thrill5

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.