ASA-IPSEC L2L with GRE Tunnel doesn't work

Unanswered Question
Aug 14th, 2008
User Badges:


we have a asa-asa connection between 2 buildings with ipsec and a gre tunnel between them because we use eigrp for this network.the tunnel is ok works perfect but i get syslog messages like :

Aug 13 17:04:54 FWH50031 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside: dst inside: (type 3, code 4) on outside interface. Original IP payload: <unknown>.

Aug 13 17:05:04 FWH50031 %ASA-6-602101: PMTU-D packet 1462 bytes greater than effective mtu 1434, dest_addr=, src_addr=, prot=GRE

and we don't find anything about on cisco to adjust the PMTU-D size on the GRE Tunnel.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 08/14/2008 - 02:07
User Badges:
  • Red, 2250 points or more

Try this on both routers:

interface tun X

ip mtu 1400

ip tcp adjust-mss 1360

You have to set this on both ends.



ksimsimon Thu, 08/14/2008 - 02:19
User Badges:

Hello Farrukh,

thanks for the fast response.

the command ip tcp adjust-mss 1360 does't work on both routers. its a 6500 sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)

srs282k3(config)#int tunnel 0

srs282k3(config-if)#ip tcp ?

compression-connections Maximum number of compressed connections

header-compression Enable TCP header compression

srs282k3(config-if)#ip tcp

i have now configured on both sides

srs282k3(config-if)#ip mtu 1416

srs282k3(config-if)#tunnel path-mtu-discovery


and start the next try to test this.



Farrukh Haroon Thu, 08/14/2008 - 03:27
User Badges:
  • Red, 2250 points or more

This command was introduced in 12.2(33)SXH I think.

Make sure you have PMTUD enabled through the firewall (particularly the packet-too-big ICMP type).



ksimsimon Thu, 08/14/2008 - 03:32
User Badges:

Hello Farrukh,

i have a standard config for the asa,s what means this packet too big ICMP Type?

do you hav a example for this ?



Farrukh Haroon Thu, 08/14/2008 - 04:08
User Badges:
  • Red, 2250 points or more

It is just an ICMP type like 'echo' 'echo-reply'




This Discussion