PIX: VPN-Tunnel across small MTU link

Unanswered Question
Jul 14th, 2009

Dear all

I have a problem with a customer who is not able to send traffic through his VPN tunnels when a link with reduced MTU is involved.

Normally Everything works fine when the connection


with MTU 1500 on all links is used.

But in case of failure of this connection we use another way automatically:

LAN<--->PIX<--->R2<--(mtu 1460)-->Internet

And in this case, the VPN tunnels come up, but the applications are facing problems of course.

The PIX 506 is version Ver 6.3(5) and handles static site-to-site VPN session to different kinds of VPN-equipement.

My questions:

1. Is it possible to solve this problem entirely with proper configuration of the PIX alone?

2. If so, how exactly is one supposed to configure the PIX?

3. If not, what exactly is best practice to deal with this and make the tunnels work?

My customer knows already e.g.


and tried a lot of things including the reduction of the MTU of the computer in the LAN itself.

Any hint is really appreciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 07/21/2009 - 07:26

Hi Grischa,

Try setting the MSS to a lower valye on both sides of the tunnel, on your pix you would use "sysopt connection tcpmss XXXX" I usually use 1300 but in your case you might need to set it lower. On your router if any, you need to use ip tcp adjust-mss XXXX" it will also help to enable fragmentaiton for the tunnel, which in the pix is supposed to be enabled by default and if a router is a vpn headend you would need to set "crypto ipsec df-bit clear"


This Discussion