08-17-2010 09:37 AM - edited 02-21-2020 04:47 PM
How can I test the MTU size going over a IPSEC tunnel from a ASA 5520 to a ASA 5510? I am having concerns that the issues with my equipment are due to insufficient MTU size.
Solved! Go to Solution.
08-17-2010 10:11 AM
You can use extended ping to see the size of packet that you can send over the tunnel with DF bit
set do not fragment. for ex :-
if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.
ping from 10.2.2.10 using :-
ping 10.3.3.10
reply success
ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }
packet needs to be fragmentated but df set
packet needs to be fragmentated but df set
ping 10.3.3.10 -l 1300 -f
packets needs fragmentation but df set
ping 10.3.3.10 -l 1270 -f
reply success
reply success
thanks
manish
08-17-2010 10:11 AM
You can use extended ping to see the size of packet that you can send over the tunnel with DF bit
set do not fragment. for ex :-
if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.
ping from 10.2.2.10 using :-
ping 10.3.3.10
reply success
ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }
packet needs to be fragmentated but df set
packet needs to be fragmentated but df set
ping 10.3.3.10 -l 1300 -f
packets needs fragmentation but df set
ping 10.3.3.10 -l 1270 -f
reply success
reply success
thanks
manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide