Problem with data trough ip-sec VPN

Unanswered Question
Sep 14th, 2010

On the site we've a cisco Cisco CISCO2921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1427A14G
3 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.

On the site in the datacenter we've an USG300 from zyxel, at the customer site we've a fiber connection. At the fiber we;ve an 2921 router, on this router we;ve configured an subnet , on one ip adress behind the router we've placed an another USG300, between those USG's is build an IP-sec VPN.

From te beginning there were problems with 5 terminal server clients, when they are connected to the terminal server the screen has been frozen. Now we've changed mtu sizes, the terminal server connections are working properly, but when there are a print command it takes al lot of time,

In the router we see an error message :

2w5d: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer0: the fragment table has reached its
maximum threshold 16

Maybe anyone can help us ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 09/14/2010 - 12:53


You lower the MTU to prevent fragments with the IPsec overhead?

That's fine but you can also adjust the TCP MSS size to tell the internal applications to not exceed the size of the data sent.

This is the fix to the problem according to cisco:

1. %IP_VFR-4-FRAG_TABLE_OVERFLOW: [chars]: the fragment table has reached its maximum threshold [dec]

The number of datagrams being reassembled at any one time has reached it maximum limit.

Recommended Action: Increase the maximum number of datagrams that can be reassembled by entering the ip virtual-reassembly max-reassemblies number command, with number being the maximum number of datagrams that can be reassembled at any one time.



This Discussion