Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
2
Replies

Do i need to increase to MTU size?

criitdept
Level 1
Level 1

‎06-04-2008 01:49 AM - edited ‎03-09-2019 08:50 PM

Hi,

I have created a VPN between a remote site and our headoffice

The remote site has a Cisco 877 Router and the HeadOffice has a Cisco 3005 Concentrator.

The VPN i have created is up and running and I can connect to devices at either sides of the VPN.

The problem i am having is, i am planning on rolling out thinclients at the remote site that connects to a terminal server at the headoffice.

When i set up the thinclients, they connect but then disconnect straight away.

I think this is down to the default MTU size being too small but i don't know if i am correct, and also in what interface to change it on.

Cheers

James

Labels:
0 Helpful
2 Replies 2

attrgautam
Level 5
Level 5

‎06-04-2008 02:19 AM

James,

It looks like a MTU issue.

One of the options you could certainly try is to do a crypto map XXXX df-bit clear which will ensure that the IPSEC header is not fragmented.

Another options is to modify the MSS of the packet using ip tcp adjust-mss on the Interface in 877 connecting to your LAN.

Let me know if one of these works

0 Helpful

michael.leblanc
Level 4
Level 4

‎06-04-2008 06:40 AM

Too small? I wouldn't think so.

When adding IPsec encapsulation, or GRE and IPSec encapsulation (our scenario, not yours), you sometimes run into fragmentation issues due to the Path MTU. In these circumstances, you would "decrease" the IP MTU on the appropriate interface to make room for the additional headers (GRE, IPSec).

e.g.: We use "ip mtu 1400" on our GRE tunnel interfaces to avoid fragmentation issues.

Reducing the IP MTU on the interface to an appropriate level means that you don't encounter fragmentation issues during the GRE or IPSec encapsulation processes (during Path MTU Discovery).

You should make sure that Path MTU discovery is enabled on your devices. This command may not show up in your configuration if it is the default:

ip tcp path-mtu-discovery

The "default" IP MTU on your interfaces is not likely to be set too small.

I think you will need to identify another cause. You probably want to use a sniffer to see what is happening on the wire.

0 Helpful
Customers Also Viewed These Support Documents