Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
1
Replies

strange mtu problem on site to site vpn

be04376
Level 1
Level 1

‎09-04-2009 08:05 AM

Hi,

I have a strange problem.

I cant send packets between 1400 and 1480 bytes to a remote site connected through a aes-256_sha vpn tunnel. This is causing alot of connection problems.

when i send those packets a see a log entry "No translation group found for icmp src outside:x.x.x.x dst inside:192.168.1.65 (type 3, code 4)"

192.168.1.65 is my station i send the packets from and x.x.x.x is the outside ip address of the asa. The x.x.x.x address is used the nat all the outgoing connections

I tried the command crypto ipsec fragmentation before-encryption outside but that didn't helped.

Any ideas?

Labels:
0 Helpful
1 Reply 1

be04376
Level 1
Level 1

‎09-04-2009 09:21 AM

Hi,

i just used the command crypto ipsecdf-bit clear and now the packets get trough.

not sure why the asa thinks he can't fragment. I didn't set the dont fragment bit i used ping -s 1400 10.254.9.13 ( and not the -M do option)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents