09-16-2009 04:41 AM - edited 03-11-2019 09:16 AM
Hi all,
I have an ASA5505 with a PPPoE WAN connection. In the last days, I receive packets with a 1500bytes MTU size with the "don't fragment" bit set.
The weird thing is, the PPPoE can handle only 1492bytes.
Here the log:
%ASA-6-602101: PMTU-D packet number bytes greater than effective mtu
number dest_addr=dest_address, src_addr=source_address, prot=protocol
This message occurs when the security appliance sends an ICMP destination unreachable message and when fragmentation is needed, but the "don't-fragment" bit is set.
Here the interface settings on the firewall:
....
mtu inside 1500
mtu outside 1492
....
sysopt connection tcpmss 1492
....
how can I force to defragment this packet? The ISP tells me that the problem is on the firewall.....
Thanks,
Norbert
09-16-2009 10:31 AM
You may have to lower your tcpmss MTU or set ip df value. This documentation should help, it states it is for use with VPN but the same policies should apply:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
09-16-2009 11:47 AM
Thanks for the reply.
I checked this document as well.
Use a lower MSS (sysopt connection tcp-mss 1300) didn't fix it. set ip df only works for IOS, not on ASA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: