Solved: has anybody see the following before

Keith Craycraft · ‎03-15-2011

%ASA-6-602101: PMTU-D packet 1420 bytes greater than effective mtu 1386, dest_addr=192.168.y.22, src_addr=192.168.x.51, prot=TCP

anybody see these in a windows environment. the traffic is from a workstation to fie server.

MTU is set to 1500 at site x

MTU is set to 1500 at site y

this traffice is just hitting the vpn tunnel on ASA at site y

it is destine to go to site X, vpn connects to another ASA there.

any ideas on this

manish arora · ‎03-15-2011

Hi Keith,

Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?

also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.

Manish

View solution in original post

manish arora · ‎03-15-2011

Hi Keith,

Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?

also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.

Manish

Keith Craycraft · ‎03-16-2011

Remote site HUb site

wrkst -----switch----asa5500 --------------l2l----------------------------------------------ASA(vpn hub)------switch----- fileserver

(in place for 10Mouths) (new install)

The workstation at the hub site is experiencing general issues of being able to communicated with a Domain controller and have group policy objects applied. and seen the domain controller as a time source throught the W32time service on the work station.

currently testing new reg key on workstation to resolve issue shows some promise.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery as a dword

PMTU discovery valuse 0 or 1 (Default = 1)

when PMTU discover is disabled,a MTU of 576 bytes is used for all non-local destination IP Address.

This seems to work. waiting on user feed back to see if these address all of their concerns.

I was think about "crypto ipsec df-bit clear-df outside " just have not found time to try it on the remote ASA.

Pavel Pokorny · ‎03-16-2011

Hi,

Try this document:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

HTH

Pavel

Keith Craycraft · ‎03-16-2011

Same document I found reg key enteries for. I like the Crypto ipsec df-bit clear-df outside as its globally affects traffic for more than one machine. DO not have to touch ever machine just asa.

Pavel Pokorny · ‎03-16-2011

So easily solved my problem:

crypto ipsec df-bit clear-df outside