08-17-2010 09:37 AM - edited 02-21-2020 04:47 PM
How can I test the MTU size going over a IPSEC tunnel from a ASA 5520 to a ASA 5510? I am having concerns that the issues with my equipment are due to insufficient MTU size.
Solved! Go to Solution.
08-17-2010 10:11 AM
You can use extended ping to see the size of packet that you can send over the tunnel with DF bit
set do not fragment. for ex :-
if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.
ping from 10.2.2.10 using :-
ping 10.3.3.10
reply success
ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }
packet needs to be fragmentated but df set
packet needs to be fragmentated but df set
ping 10.3.3.10 -l 1300 -f
packets needs fragmentation but df set
ping 10.3.3.10 -l 1270 -f
reply success
reply success
thanks
manish
08-17-2010 10:11 AM
You can use extended ping to see the size of packet that you can send over the tunnel with DF bit
set do not fragment. for ex :-
if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.
ping from 10.2.2.10 using :-
ping 10.3.3.10
reply success
ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }
packet needs to be fragmentated but df set
packet needs to be fragmentated but df set
ping 10.3.3.10 -l 1300 -f
packets needs fragmentation but df set
ping 10.3.3.10 -l 1270 -f
reply success
reply success
thanks
manish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: