l2tpv3 and mtu issues

Unanswered Question
Oct 18th, 2007
User Badges:

Has anyone configured l2tpv3 using pseudowire configs? Currently configured as:

pseudowire-class class42

encapsulation l2tpv3

ip local interface Loopback1

ip pmtu max 1400

ip dfbit set

Haven't had a chance to sniff it yet but appears some servers are unable to create tcp connections when mtu is set to higher than 1358 in our case.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
mchin345 Wed, 10/24/2007 - 10:35
User Badges:
  • Silver, 250 points or more

Can you post a show tech from router and brief description of the topology?

tgurney Thu, 10/25/2007 - 07:14
User Badges:

A show tech from two routers and a visio drawing. Note two metroE links between the VISI and Berbee environments. Note that the two vlan 37's at each site are separate and unique to each other.

Attempting to bridge 4 vlans between Berbee and VISI. In pseudo-wire classes I've set ip pmtu max 1400. We are having major problems with TCP sessions and MTU. It appears that if server MTU is set to 1358 then nothing fails. So the workaround is to set MTU on servers to 1350.

Appears to me that when a server with MTU higher than 1358 sends a packet larger then 1358 and has df bit set the packet is dropped by the 7206's and an ICMP 3 4 is sent with a MSS of 1358. Servers should then negotiate back down. That doesn't seem to be happening. Cisco says the network is working correctly and I have to agree from a theoretical point, but this seems like something fundamental within the l2tp config.

rakesh.hegde Thu, 10/25/2007 - 19:35
User Badges:

The answer to your question is in your configureation itself. Take out " ip df bit set " from the psudowire class to allow packets to be fragmented before tunneling


tgurney Fri, 10/26/2007 - 05:01
User Badges:

I took the ip dfbit set out of the configuration last week. Still having issues with large packets.

rakesh.hegde Fri, 10/26/2007 - 07:14
User Badges:

What you are seeing over L2TPV3 may be a symptom not the problem itself. Looks like you are having issues with TCP MSS vlaue. Tse servers are using a MSS value thats would require frangmentation. The router can not do that because the DF bit it set. You have two options.

1. apply a policy map to the interface to cleat the df bit

access-l 100 permit tcp any any

route-map cleardf

match ip address 100

set ip df 0

int gig x/x

ip policy rotue-map cleardf

2. Adjust MSS value to 1300 (MTU is MSS+40 ) for any TCP connections on the router

int gig x/x

ip tcp adjust-mss 1300

I have mostly used option 2



tgurney Fri, 10/26/2007 - 09:40
User Badges:

Rackesh , I like the route map option .

So si the best place for that on the 7206 dot1q subinterface ? Or the l2tpv3 loopback interfaces?

rakesh.hegde Fri, 10/26/2007 - 10:30
User Badges:

IF the topology is some thing is like

6500 L3 Vlan 10 interface -> subinterface gig x/x.10 on the 7206 with xconnect.

I would apply it to Vlan 10 on 6500. I would leave the 7206 (the edge router) alone to do jsut L2TPV3.

I have implemented L2tpV3 with IPSEC encryption for one of our customers. Initially I had EIGRP neighbor flap because of MTU. I fiexed it by not removing PMTUD and DF bit commands from the psudo wire class



rakesh.hegde Fri, 10/26/2007 - 10:34
User Badges:

The last sentence should read 'I fiexed it by removing PMTUD and DF bit commands from the psudo wire class '


steve_mils Mon, 12/08/2008 - 06:58
User Badges:

Hi - did you ever figure out what was happening here. We see the same problem and suspect that the problem can be fixed by patching the servers with the latest service pack. For example see the following link for Windows 2003 servers:


If this is the case then it proves that the network does indeed work. We're yet to try this ourselves but I'm wondering if you ever did this; or were your servers already patched?

Cheers, Steve


This Discussion