Cannot set DF-bit globally

Unanswered Question
May 8th, 2007
User Badges:

I have a asa5510 and when I scp from the VPN client to an inside server the transfer starts and slowly drops in speed until I see a stalled message.

Everywhere I read suggests it is the df-bit problem. I tried to set the df-bit to clear globally with:

crypto ipsec df-bit clear

However, the asa5510 v7.1(2) software apparently requires an interface spec so I have to do a:

crypto ipsec df-bit clear outside

I have to do this on all the interfaces. Is there a way to do this globally AND is this really my problem?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
carenas123 Mon, 05/14/2007 - 10:30
User Badges:
  • Silver, 250 points or more

The problem may be due to high fragmentation. To fix the fragmentation issue, configure a class-map and add it to the MPF global-policy to allow packets with a larger MSS from that server.


This Discussion