Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Howto force MTU fragmentation, ASA5505

Hi all,

I have an ASA5505 with a PPPoE WAN connection. In the last days, I receive packets with a 1500bytes MTU size with the "don't fragment" bit set.

The weird thing is, the PPPoE can handle only 1492bytes.

Here the log:

%ASA-6-602101: PMTU-D packet number bytes greater than effective mtu

number dest_addr=dest_address, src_addr=source_address, prot=protocol

This message occurs when the security appliance sends an ICMP destination unreachable message and when fragmentation is needed, but the "don't-fragment" bit is set.

Here the interface settings on the firewall:

....

mtu inside 1500

mtu outside 1492

....

sysopt connection tcpmss 1492

....

how can I force to defragment this packet? The ISP tells me that the problem is on the firewall.....

Thanks,

Norbert

2 REPLIES
New Member

Re: Howto force MTU fragmentation, ASA5505

You may have to lower your tcpmss MTU or set ip df value. This documentation should help, it states it is for use with VPN but the same policies should apply:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

New Member

Re: Howto force MTU fragmentation, ASA5505

Thanks for the reply.

I checked this document as well.

Use a lower MSS (sysopt connection tcp-mss 1300) didn't fix it. set ip df only works for IOS, not on ASA.

3252
Views
0
Helpful
2
Replies