ip tcp adjust-mss & mtu size

mulhollandm · ‎01-30-2010

folks

i have a site to site vpn with possible mtu issues

i have configured the ip tcp adjust-mss 1300 command on both the lan side closest to the AD servers and on the interface facing the wan on my local router

the vpn doesn't start on the routers but on an attached hardware encryptor

there is another hardware encryptor on the remote site

i also have a route-map applied to the external/wan interface of my local router

route-map clear-DF permit 10
match ip address 150
set ip df 0

ACL 150 is permit tcp any any

this has resolved lots of issues i was having with users trying to get authenticated internet access from the remote site across the vpn but i'm getting reports of problems adding new machines to the remote lan and with applying group policy

can someone advise

- should i set the mtu as well as configuring the ip tcp adjust-mss 1300 command

- are there any relevant config guides for a site to site vpn and using adjust-mss

i've attached a basic topology so hopefully it will help

thanks to anyone taking the time to read this or to reply

greatly appreciated

Reza Sharifi · ‎01-30-2010

Hi

Are you using type-1 encryption devices?

Reza

mulhollandm · ‎01-31-2010

reza

it is a type-1 box, tamper resistant etc

thanks

milan.kulik · ‎02-02-2010

Hi,

this might help a little:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

What are your current problems in details?

HTH,

Milan