help with "crypto ipsec df-bit clear" command

Unanswered Question
Apr 14th, 2008
User Badges:

Hi,


I have a Cisco 877 at a remote site connected to an ASA over an IPSec VPN (AES-256/sha/pre-shared key) and have just used the "test vpn connection" option on the SDM of a Cisco 877.


It says the tunnel is fine but recommends I add the "crypto ipsec df-bit clear" command, however I did add it to the dialer 1 interface of the 877 and ran the test again, but it still says I need to add it.


What interface is this or do I need to add it to the ASA somewhere instead?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Mon, 04/14/2008 - 11:52
User Badges:
  • Green, 3000 points or more

I haven't used SDM and hence, can't comment on which interface does it want you to clear the df-bit but dialer interface sounds logical to me. You can configure the 'crypto ipsec df-bit clear' command in the global configuration mode and this would apply this setting to all interfaces and try the test.


HTH


Sundar

whiteford Tue, 04/15/2008 - 05:56
User Badges:

Just added it to the global config an on the Cisco 877 and it still says I need to add it. Could it be the ASA side?

sundar.palaniappan Tue, 04/15/2008 - 06:14
User Badges:
  • Green, 3000 points or more

You can try adding the command to the ASA. Are you having problems sending data through the L2L VPN tunnel. I have found the 'ip tcp adjust-mss 1440' command to be very helpful is addressing MTU problems over IPSEC connections. Configure this command under the LAN facing interface on the 877 and check your connection between the hosts on the LAN instead of using the SDM to test.



HTH


Sundar

whiteford Tue, 04/15/2008 - 06:16
User Badges:

It all seems to be fine, but the SDM recommends this after doing a test of the tunnel.


Should I add that to the global config of the ASA?


I've added 'ip tcp adjust-mss 1440' tot he VLAN 1 of the 877.

sundar.palaniappan Tue, 04/15/2008 - 06:25
User Badges:
  • Green, 3000 points or more

It doesn't hurt to use the df-bit clear command to the global configuration of the ASA.

whiteford Tue, 04/15/2008 - 07:06
User Badges:

When I do it's ask what interface:


ASA5520(config)# crypto ipsec df-bit clear ?


configure mode commands/options:

Current available interface(s):

DMZ1 Name of interface GigabitEthernet0/2.6

inside Name of interface GigabitEthernet0/1

management Name of interface Management0/0

outside Name of interface GigabitEthernet0/0


Would it just be the outside?





sundar.palaniappan Tue, 04/15/2008 - 07:18
User Badges:
  • Green, 3000 points or more

That would be correct if your VPN connection terminates on the outside interface.


HTH


Sundar

whiteford Tue, 04/15/2008 - 07:31
User Badges:

Added to the outside but that request to add still remains, nevermind.


Guess it's no problem being in there?

sundar.palaniappan Tue, 04/15/2008 - 07:43
User Badges:
  • Green, 3000 points or more

I wouldn't worry about it. Especially, since your VPN tunnel seems to be up and passing traffic and users aren't having any problems.

Actions

This Discussion