MTU Mismatch btw VPN Peers

Unanswered Question
Apr 10th, 2008
User Badges:

hello ,

We have a VPN btw ASA and Cisco 871 .This ispsec tunnel is up and functional , i can ping the Devices from both sides without any issues , but when we use Xterm or any other chatt protocl we get kiccked off at times , so when i ran a Test tunnel from SDM , i get a report "A ping with data size of this interface MTU size and " Do not fragment" bit set to other end VPN devie is failing , this may happen if there is alesser MTU network which drops the Do not fragment packets " .

My suspicion is branch office router 871 , which has only this tunnel where are main office ASA has 13 more similar tunnels that are fully funtional .

Things that i have tried ,

changing MTU to 1200 on the Fast ethernet of (where tunnel is terminated on 871 router)

TCP-adjust to 1200

When i ping from a desktop that is behind ASA to with -f -l , last respons i get is at 1272. But on similar test from behind 871 goes without any issues uptill 1400 + .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ciscosom Thu, 04/10/2008 - 20:53
User Badges:

partial configuration from 871

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****** address x.y.z.w



crypto ipsec transform-set 3des-set esp-3des esp-md5-hmac

crypto ipsec df-bit clear


crypto map vpn 10 ipsec-isakmp

set peer a.b.c.d

set transform-set 3des-set

match address 102

interface FastEthernet3


interface FastEthernet4

ip address x.y.z.x

ip access-group 100 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

duplex auto

speed auto

crypto map vpn


interface Vlan1

ip address

ip nat inside

ip virtual-reassembly



Any help will be greatly appreciated !!!!


This Discussion