Howto force MTU fragmentation, ASA5505

Unanswered Question
Sep 16th, 2009
User Badges:

Hi all,


I have an ASA5505 with a PPPoE WAN connection. In the last days, I receive packets with a 1500bytes MTU size with the "don't fragment" bit set.

The weird thing is, the PPPoE can handle only 1492bytes.


Here the log:

%ASA-6-602101: PMTU-D packet number bytes greater than effective mtu

number dest_addr=dest_address, src_addr=source_address, prot=protocol

This message occurs when the security appliance sends an ICMP destination unreachable message and when fragmentation is needed, but the "don't-fragment" bit is set.


Here the interface settings on the firewall:

....

mtu inside 1500

mtu outside 1492

....

sysopt connection tcpmss 1492

....



how can I force to defragment this packet? The ISP tells me that the problem is on the firewall.....


Thanks,

Norbert



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alig.norbert Wed, 09/16/2009 - 11:47
User Badges:

Thanks for the reply.


I checked this document as well.


Use a lower MSS (sysopt connection tcp-mss 1300) didn't fix it. set ip df only works for IOS, not on ASA.


Actions

This Discussion