has anybody see the following before

Answered Question
Mar 15th, 2011

%ASA-6-602101: PMTU-D packet 1420 bytes greater than effective mtu 1386, dest_addr=192.168.y.22, src_addr=192.168.x.51, prot=TCP

anybody see these in a windows environment. the traffic is from a workstation to fie server.

MTU is set to 1500 at site x

MTU is set to 1500 at site y

this traffice is just hitting the vpn tunnel on ASA at site y

it is destine to go to site X, vpn connects to another ASA there.

any ideas on this

I have this problem too.
0 votes
Correct Answer by manisharora111 about 3 years 11 months ago

Hi Keith,

Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?

also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
manisharora111 Tue, 03/15/2011 - 13:46

Hi Keith,

Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?

also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.

Manish

kcraycraft Wed, 03/16/2011 - 04:45

    Remote site                                                                                                                         HUb site

    wrkst -----switch----asa5500 --------------l2l----------------------------------------------ASA(vpn hub)------switch----- fileserver

                               (in place for 10Mouths)                                           (new install)

 

  The workstation at the hub site is experiencing general issues of being able to communicated with a Domain controller and have group policy objects applied. and seen the domain controller as a time source throught the W32time service on the work station.

currently testing new  reg key on workstation to resolve issue shows some promise.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery   as a dword

PMTU discovery valuse 0 or 1   (Default = 1)

when PMTU discover is disabled,a MTU of 576 bytes is used for all non-local destination IP Address.

This seems to work. waiting on user feed back to see if these address all of their concerns.

I was think about  "crypto ipsec df-bit clear-df outside "  just have not found time to try it on the remote ASA.

kcraycraft Wed, 03/16/2011 - 06:07

Same document I found reg key enteries for. I like the Crypto ipsec df-bit clear-df outside as its globally affects traffic for more than one machine. DO not have to touch ever machine just asa.

Actions

Login or Register to take actions

This Discussion

Posted March 15, 2011 at 12:25 PM
Stats:
Replies:5 Avg. Rating:5
Views:635 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard