Crypto ipsec df-bit....

Unanswered Question
Feb 9th, 2007

Hi,

When I test a vpn tunnel using sdm and the attached warning is shown.

Only occurs testing a one of three vpn tunnels which there are configured.

I?ve added "crypto ipsec df-bit clear" command but the error is still appearing.

Why?

Best regards

heze54

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Fri, 02/16/2007 - 06:07

Hi,

YOu can try lowering down the TCP MSS on the LAN interface.

int Eth0/0

ip tcp adjust-mss 1200

exit

HTH,

-Kanishka

edgar-quintana Fri, 02/16/2007 - 06:44

Hi,

Why this message is only shown when I test a vpn connection? I have several vpn tuunels and only occurs with one.

best regards

kaachary Fri, 02/16/2007 - 06:48

Hi,

Is this a VPN Client connection or its another Site to site ?

Also, have you enabled "cry ipsec df-bit clear" globally or on the Interface ? and on which Interface ?

-Kanishka

edgar-quintana Fri, 02/16/2007 - 07:14

Hi,

Is a vpn tunnel router to router configured.

interface Ethernet0

no ip address

no ip proxy-arp

shutdown

hold-queue 100 out

!

interface Ethernet2

description $FW_INSIDE$

ip address xxxxxxxxxx

ip access-group 101 in

no ip proxy-arp

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface ATM0

no ip address

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $FW_OUTSIDE$

ip address xxxxxxxxxxxxxxx

ip access-group 103 in

no ip proxy-arp

ip nat outside

ip virtual-reassembly

crypto map xxxxxxx

pvc 8/32

encapsulation aal5snap

!

!

which wold be the best configuration?

Best regards

kaachary Fri, 02/16/2007 - 06:51

Hi,

Is this a VPN Client connection or its another Site to site ?

Also, have you enabled "cry ipsec df-bit clear" globally or on the Interface ? and on which Interface ?

-Kanishka

Actions

This Discussion