Test MTU Size Over IPSEC Tunnel

Answered Question
Aug 17th, 2010
User Badges:

How can I test the MTU size going over a IPSEC tunnel from a ASA 5520 to a ASA 5510? I am having concerns that the issues with my equipment are due to insufficient MTU size.

Correct Answer by manish arora about 6 years 8 months ago

You can use extended ping to see the size of packet that you can send over the tunnel with DF bit

set do not fragment. for ex :-


if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.

ping from 10.2.2.10 using :-


ping 10.3.3.10


reply success


ping 10.3.3.10 -l 1500 -f  { where -l 1500 sets the MTU to 1500 and -f says do not fragment }

packet needs to be fragmentated but df set

packet needs to be fragmentated but df set



ping 10.3.3.10 -l 1300 -f


packets needs fragmentation but df set


ping 10.3.3.10 -l 1270 -f


reply success

reply success


thanks

manish

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
manish arora Tue, 08/17/2010 - 10:11
User Badges:
  • Silver, 250 points or more

You can use extended ping to see the size of packet that you can send over the tunnel with DF bit

set do not fragment. for ex :-


if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.

ping from 10.2.2.10 using :-


ping 10.3.3.10


reply success


ping 10.3.3.10 -l 1500 -f  { where -l 1500 sets the MTU to 1500 and -f says do not fragment }

packet needs to be fragmentated but df set

packet needs to be fragmentated but df set



ping 10.3.3.10 -l 1300 -f


packets needs fragmentation but df set


ping 10.3.3.10 -l 1270 -f


reply success

reply success


thanks

manish

Actions

This Discussion

Related Content