09-12-2008 10:32 AM - edited 02-21-2020 03:00 AM
I have 2 sites that are connected through IPSEC VPN between 2 PIX 525 firewalls and i have replication between 2 NETAPP storage devices that is not performing and it appears that the MTU and fragmentation is affecting it. When i do a ping with size 1500 from one side to the other it fails and as I lower at 1200 it succeeds. I told the firewall to fragment before encryption and set the inside and outside interfaces to 1200 MTU and still no luck. Any ideas
09-12-2008 11:01 AM
Change the TCP MSS on PIXs
sysopt connection tcp-mss MSS_size_in_bytes
example : sysopt connection tcp-mss 1200
09-12-2008 02:16 PM
that didn't seem to help still can't ping across with a ping set to 1500 MTU
09-13-2008 12:39 AM
Try this on both sides (PIX firewalls):
crypto ipsec df-bit clear-df outside
Where 'outside' is your egress VPN interface.
Regards
Farrukh
09-14-2008 02:07 AM
I agree with Farrukh - a solid solution, I would add one more thing, to fragement "BEFORE" encryption - not after:-
crypto ipsec fragmentation before-encryption outside.
I prefer to fragement a clear packet rather than an encrypted packet - jut my personal preference.
HTH>
09-16-2008 06:32 AM
Where is the appropriate place to tell the PIX what the MSS size should be?
09-16-2008 06:37 AM
In the pix it's a global setting - you can;t define an interface or direction.
Any tcp - syn or syn ack that the firewall see's it will change the MSS to the configured value.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide