Cannot set DF-bit globally

Unanswered Question
May 8th, 2007

I have a asa5510 and when I scp from the VPN client to an inside server the transfer starts and slowly drops in speed until I see a stalled message.

Everywhere I read suggests it is the df-bit problem. I tried to set the df-bit to clear globally with:

crypto ipsec df-bit clear

However, the asa5510 v7.1(2) software apparently requires an interface spec so I have to do a:

crypto ipsec df-bit clear outside

I have to do this on all the interfaces. Is there a way to do this globally AND is this really my problem?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
carenas123 Mon, 05/14/2007 - 10:30

The problem may be due to high fragmentation. To fix the fragmentation issue, configure a class-map and add it to the MPF global-policy to allow packets with a larger MSS from that server.


This Discussion