Question about DSL and MTU 1492 on router.

vpmorozov · ‎05-17-2007

Hi!

I've got a VPN between two PC, based on OpenVPN (UDP).

Some time ago I've been using Linux-based DSL-router (on usual TI7300 MIPS processor). There was an check-box "Force MTU" and 1492 value for PPPoE. Everything have worked fine.

Now I've installed Cisco 1841 as router. I made following changes in addition to standart config:

!!!!!

interface Dialer1

mtu 1492

!

interface Vlan1

ip policy route-map clear-df

!

route-map clear-df permit 10

match ip address 1

set ip df 0

!

access-list 1 permit any

!!!!!!!!!!!!

But large packets can't pass through VPN until I set mtu 1400 on OpenVPN tunnel interfaces on both sides.

ICMP is open.

Since everything was fine on old BusyBox, I decide that Cisco1841 does not fragment packets even though DF->0 route-map is using.

May be someone have suggestions...

And remember - UDP!

Thanks :-)

kerek · ‎05-17-2007

If you clear the DF on the sender's side it is not guaranteed that the receiver side can reasseble the fragmented packets. Some applications simply drop the fragmented packets. Furthermore if the receiving end sends back the packets with DF bit set and you don't clear that on that side as well it is being dropped by the router. Is the router on the other side under your control too?

vpmorozov · ‎05-17-2007

Hello! No, router on the second site is not under my control.

And I don't think it's the issue - looks like DF bit on the way from the second side clears somewhere in ISP network. Because I can leave MTU 1500 on second side tunnel interface and VPN works fine... I suppose... I'll check it tommorrow :-)