×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

pix - mtu path discovery (outside/inside)?

Unanswered Question
Nov 21st, 2006
User Badges:

Could someone point out an advantage/disadvantage of either of these two approaches to deal with mtu path discovery issues. (1) The first one is to allow the 'packet needs to be frag'd but df set' through the use of an acl. (2) The second is done through setting the outside interface to the same as my vpn tunnel (1440), and leaving the inside at the standard ethernet 1500 mtu. here is my config on my pix.


=MTU testing====================

access-list MTU-TEST remark MTU-PATH Discovery

access-list MTU-TEST permit icmp 172.x.0.0 255.255.0.0 any unreachable

access-list MTU-TEST permit icmp 172.x.0.0 255.255.0.0 any unreachable

access-list MTU-TEST remark Permit inbound ping response (and traceroute)

access-list MTU-TEST permit icmp any any echo-reply

access-group MTU-TEST in interface outside


======MTU setting on interface ========

access-list MTU-1440-OUTSIDE remark MTU-PATH Discovery

access-list MTU-1440-OUTSIDE remark Permit inbound ping response (and traceroute)

access-list MTU-1440-OUTSIDE permit icmp any any echo-reply

access-group MTU-1440-OUTSIDE in interface outside

mtu outside 1440


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mlowery@alliedt... Thu, 11/23/2006 - 00:49
User Badges:

My problems with path discovery have always been solved with the command:


sysopt connection tcpmss 1440


I have never tried using an ACL to do that.

Actions

This Discussion