cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3038
Views
0
Helpful
9
Replies

help with "crypto ipsec df-bit clear" command

whiteford
Level 1
Level 1

Hi,

I have a Cisco 877 at a remote site connected to an ASA over an IPSec VPN (AES-256/sha/pre-shared key) and have just used the "test vpn connection" option on the SDM of a Cisco 877.

It says the tunnel is fine but recommends I add the "crypto ipsec df-bit clear" command, however I did add it to the dialer 1 interface of the 877 and ran the test again, but it still says I need to add it.

What interface is this or do I need to add it to the ASA somewhere instead?

9 Replies 9

I haven't used SDM and hence, can't comment on which interface does it want you to clear the df-bit but dialer interface sounds logical to me. You can configure the 'crypto ipsec df-bit clear' command in the global configuration mode and this would apply this setting to all interfaces and try the test.

HTH

Sundar

Just added it to the global config an on the Cisco 877 and it still says I need to add it. Could it be the ASA side?

You can try adding the command to the ASA. Are you having problems sending data through the L2L VPN tunnel. I have found the 'ip tcp adjust-mss 1440' command to be very helpful is addressing MTU problems over IPSEC connections. Configure this command under the LAN facing interface on the 877 and check your connection between the hosts on the LAN instead of using the SDM to test.

HTH

Sundar

It all seems to be fine, but the SDM recommends this after doing a test of the tunnel.

Should I add that to the global config of the ASA?

I've added 'ip tcp adjust-mss 1440' tot he VLAN 1 of the 877.

It doesn't hurt to use the df-bit clear command to the global configuration of the ASA.

When I do it's ask what interface:

ASA5520(config)# crypto ipsec df-bit clear ?

configure mode commands/options:

Current available interface(s):

DMZ1 Name of interface GigabitEthernet0/2.6

inside Name of interface GigabitEthernet0/1

management Name of interface Management0/0

outside Name of interface GigabitEthernet0/0

Would it just be the outside?

That would be correct if your VPN connection terminates on the outside interface.

HTH

Sundar

Added to the outside but that request to add still remains, nevermind.

Guess it's no problem being in there?

I wouldn't worry about it. Especially, since your VPN tunnel seems to be up and passing traffic and users aren't having any problems.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: