has anybody see the following before

Answered Question
Mar 15th, 2011

%ASA-6-602101: PMTU-D packet 1420 bytes greater than effective mtu 1386, dest_addr=192.168.y.22, src_addr=192.168.x.51, prot=TCP

anybody see these in a windows environment. the traffic is from a workstation to fie server.

MTU is set to 1500 at site x

MTU is set to 1500 at site y

this traffice is just hitting the vpn tunnel on ASA at site y

it is destine to go to site X, vpn connects to another ASA there.

any ideas on this

I have this problem too.
0 votes
Correct Answer by manisharora111 about 3 years 1 month ago

Hi Keith,

Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?

also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
manisharora111 Tue, 03/15/2011 - 13:46

Hi Keith,

Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?

also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.

Manish

kcraycraft Wed, 03/16/2011 - 04:45

    Remote site                                                                                                                         HUb site

    wrkst -----switch----asa5500 --------------l2l----------------------------------------------ASA(vpn hub)------switch----- fileserver

                               (in place for 10Mouths)                                           (new install)

 

  The workstation at the hub site is experiencing general issues of being able to communicated with a Domain controller and have group policy objects applied. and seen the domain controller as a time source throught the W32time service on the work station.

currently testing new  reg key on workstation to resolve issue shows some promise.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery   as a dword

PMTU discovery valuse 0 or 1   (Default = 1)

when PMTU discover is disabled,a MTU of 576 bytes is used for all non-local destination IP Address.

This seems to work. waiting on user feed back to see if these address all of their concerns.

I was think about  "crypto ipsec df-bit clear-df outside "  just have not found time to try it on the remote ASA.

kcraycraft Wed, 03/16/2011 - 06:07

Same document I found reg key enteries for. I like the Crypto ipsec df-bit clear-df outside as its globally affects traffic for more than one machine. DO not have to touch ever machine just asa.

ppokorny25 Wed, 03/16/2011 - 07:24

So easily solved my problem:

crypto ipsec df-bit clear-df outside

Actions

Login or Register to take actions

This Discussion

Posted March 15, 2011 at 12:25 PM
Stats:
Replies:5 Avg. Rating:5
Views:593 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446