Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
4
Replies

Trying to find the highest possible MTU

thomas.schmitz
Level 1
Level 1

‎04-26-2002 05:54 AM - edited ‎02-20-2020 10:02 PM

Hello,

I try to find out, wich is the highest possible MTU. So I send a PING -L XXXX -F to the Pix outside, from outside. XXXX is standing for the bytes.

PING xxx.xxx.xxx.xxx -L 992 (and lower) -F

I got a reply

PING xxx.xxx.xxx.xxx -L 993 (up to1472) -F

the ping timed out

PING xxx.xxx.xxx.xxx -L 1473 (and higher) -F

Fragmentation is needed

I don't understand, why it timed out between 993 an 1472.

If i try the same to a router (same internet connection), the ping works up to 1472, with no time out. Upeer 1472 I get the fragmentation message.

Have enyone an answer?

Thomas

0 Helpful
4 Replies 4

ssoberlik
Level 4
Level 4

‎05-02-2002 12:45 PM

You might consider pre-fragmentation before the packet enters the tunnel. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e11/lokahead.htm for details. I hope this helps.

0 Helpful

thomas.schmitz
Level 1
Level 1
In response to ssoberlik

‎05-03-2002 01:54 AM

My problem occurs also without any encryption. I'm connected to the internet and send a ping to the outside interface of the PIX. First a thought it is a problem with the router from the ISP, but we have also a CISCO 1605 connected to the same ISP router and there the ping work realy fine until 1472 bytes the I get the message fragmentition needed.

If I'm connected via the VPN Client 3.51 and send a ping to inside, I get the same results, but additional on the PIX, if debug ipsec is on, a message like this: IPSEC(ipsec_cipher_handler): ERR: bad pkt 10.1.80.3->10.1.1.1

I searched in the errordecoder from Cisco, but there are no results.

By the way, the pre-fragmentation is by default on and I didn't switch it off. It occurs not in IPSEC transfermode, which I'm using.

0 Helpful

fbenny
Level 1
Level 1

‎08-04-2004 05:23 PM

Hi Thomas,

I have the same problem that you described in this post. In my case it is between two PIX that have a site-to-site VNP between them.

And also, I my case the PING timed out at 993.

Do you have a work-around?

Thanks

Frank

0 Helpful

fzink
Level 1
Level 1
In response to fbenny

‎02-25-2005 02:37 AM

Hello,

I'am investiguated on the same issue. Did you get an answer? Do you have a workaround?

Regards,

Frédéric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card