Howto force MTU fragmentation, ASA5505

Unanswered Question
Sep 16th, 2009
User Badges:

Hi all,

I have an ASA5505 with a PPPoE WAN connection. In the last days, I receive packets with a 1500bytes MTU size with the "don't fragment" bit set.

The weird thing is, the PPPoE can handle only 1492bytes.

Here the log:

%ASA-6-602101: PMTU-D packet number bytes greater than effective mtu

number dest_addr=dest_address, src_addr=source_address, prot=protocol

This message occurs when the security appliance sends an ICMP destination unreachable message and when fragmentation is needed, but the "don't-fragment" bit is set.

Here the interface settings on the firewall:


mtu inside 1500

mtu outside 1492


sysopt connection tcpmss 1492


how can I force to defragment this packet? The ISP tells me that the problem is on the firewall.....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
alig.norbert Wed, 09/16/2009 - 11:47
User Badges:

Thanks for the reply.

I checked this document as well.

Use a lower MSS (sysopt connection tcp-mss 1300) didn't fix it. set ip df only works for IOS, not on ASA.


This Discussion