Fragmentation

bob.bartlett · ‎09-12-2008

I have 2 sites that are connected through IPSEC VPN between 2 PIX 525 firewalls and i have replication between 2 NETAPP storage devices that is not performing and it appears that the MTU and fragmentation is affecting it. When i do a ping with size 1500 from one side to the other it fails and as I lower at 1200 it succeeds. I told the firewall to fragment before encryption and set the inside and outside interfaces to 1200 MTU and still no luck. Any ideas

singhsaju · ‎09-12-2008

Change the TCP MSS on PIXs

sysopt connection tcp-mss MSS_size_in_bytes

example : sysopt connection tcp-mss 1200

bob.bartlett · ‎09-12-2008

that didn't seem to help still can't ping across with a ping set to 1500 MTU

Farrukh Haroon · ‎09-13-2008

Try this on both sides (PIX firewalls):

crypto ipsec df-bit clear-df outside

Where 'outside' is your egress VPN interface.

Regards

Farrukh

andrew.prince · ‎09-14-2008

I agree with Farrukh - a solid solution, I would add one more thing, to fragement "BEFORE" encryption - not after:-

crypto ipsec fragmentation before-encryption outside.

I prefer to fragement a clear packet rather than an encrypted packet - jut my personal preference.

HTH>

bob.bartlett · ‎09-16-2008

Where is the appropriate place to tell the PIX what the MSS size should be?

andrew.prince · ‎09-16-2008

In the pix it's a global setting - you can;t define an interface or direction.

Any tcp - syn or syn ack that the firewall see's it will change the MSS to the configured value.

HTH>