Unanswered Question
Sep 12th, 2008

I have 2 sites that are connected through IPSEC VPN between 2 PIX 525 firewalls and i have replication between 2 NETAPP storage devices that is not performing and it appears that the MTU and fragmentation is affecting it. When i do a ping with size 1500 from one side to the other it fails and as I lower at 1200 it succeeds. I told the firewall to fragment before encryption and set the inside and outside interfaces to 1200 MTU and still no luck. Any ideas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
singhsaju Fri, 09/12/2008 - 11:01

Change the TCP MSS on PIXs

sysopt connection tcp-mss MSS_size_in_bytes

example : sysopt connection tcp-mss 1200

bob.bartlett Fri, 09/12/2008 - 14:16

that didn't seem to help still can't ping across with a ping set to 1500 MTU

Farrukh Haroon Sat, 09/13/2008 - 00:39

Try this on both sides (PIX firewalls):

crypto ipsec df-bit clear-df outside

Where 'outside' is your egress VPN interface.



bob.bartlett Tue, 09/16/2008 - 06:32

Where is the appropriate place to tell the PIX what the MSS size should be?


This Discussion