MTU Mismatch btw VPN Peers

ciscosom · ‎04-10-2008

hello ,

We have a VPN btw ASA and Cisco 871 .This ispsec tunnel is up and functional , i can ping the Devices from both sides without any issues , but when we use Xterm or any other chatt protocl we get kiccked off at times , so when i ran a Test tunnel from SDM , i get a report "A ping with data size of this interface MTU size and " Do not fragment" bit set to other end VPN devie is failing , this may happen if there is alesser MTU network which drops the Do not fragment packets " .

My suspicion is branch office router 871 , which has only this tunnel where are main office ASA has 13 more similar tunnels that are fully funtional .

Things that i have tried ,

changing MTU to 1200 on the Fast ethernet of (where tunnel is terminated on 871 router)

TCP-adjust to 1200

When i ping from a desktop that is behind ASA to yahoo.com with -f -l , last respons i get is at 1272. But on similar test from behind 871 goes without any issues uptill 1400 + .

ciscosom · ‎04-10-2008

partial configuration from 871

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****** address x.y.z.w

!

crypto ipsec transform-set 3des-set esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map vpn 10 ipsec-isakmp

set peer a.b.c.d

set transform-set 3des-set

match address 102

interface FastEthernet3

!

interface FastEthernet4

ip address x.y.z.x 255.255.255.248

ip access-group 100 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

duplex auto

speed auto

crypto map vpn

!

interface Vlan1

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

****************************************

Any help will be greatly appreciated !!!!