Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1310
Views
0
Helpful
1
Replies

pix - mtu path discovery (outside/inside)?

matt.walls
Level 1
Level 1

‎11-21-2006 12:10 PM - edited ‎03-11-2019 01:58 AM

Could someone point out an advantage/disadvantage of either of these two approaches to deal with mtu path discovery issues. (1) The first one is to allow the 'packet needs to be frag'd but df set' through the use of an acl. (2) The second is done through setting the outside interface to the same as my vpn tunnel (1440), and leaving the inside at the standard ethernet 1500 mtu. here is my config on my pix.

=MTU testing====================

access-list MTU-TEST remark MTU-PATH Discovery

access-list MTU-TEST permit icmp 172.x.0.0 255.255.0.0 any unreachable

access-list MTU-TEST permit icmp 172.x.0.0 255.255.0.0 any unreachable

access-list MTU-TEST remark Permit inbound ping response (and traceroute)

access-list MTU-TEST permit icmp any any echo-reply

access-group MTU-TEST in interface outside

======MTU setting on interface ========

access-list MTU-1440-OUTSIDE remark MTU-PATH Discovery

access-list MTU-1440-OUTSIDE remark Permit inbound ping response (and traceroute)

access-list MTU-1440-OUTSIDE permit icmp any any echo-reply

access-group MTU-1440-OUTSIDE in interface outside

mtu outside 1440

Labels:
0 Helpful
1 Reply 1

mlowery
Level 1
Level 1

‎11-23-2006 12:49 AM

My problems with path discovery have always been solved with the command:

sysopt connection tcpmss 1440

I have never tried using an ACL to do that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card