Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

PMTU-D packet 1420 bytes greater than effective mtu 1396,

Hi there,

Recently received an ASA5510 for testing and just installed it on my home dsl service.  I can go to certain web sites but on certain sites I can not.  I've followed some of the postings and also this one,

I had a SonicWALL and a Netscreen firewal before and both of them just worked fine.  I'm no ASA expert so apologies in advance.

ASA Version 8.3(1)
hostname asa

interface Ethernet0/0
description external interface
speed 100
duplex full
nameif outside
security-level 0
pppoe client vpdn group tpg
ip address pppoe setroute
interface Ethernet0/1
description DV Network
speed 1000
duplex full
nameif inside
security-level 100
ip address
interface Ethernet0/2
description Cisco Virtual Office
speed 100
duplex full
nameif work
security-level 100
ip address
interface Ethernet0/3
description lab & test network
speed 100
duplex full
nameif lab
security-level 100
ip address
interface Management0/0
speed 100
duplex full
nameif mgmt
security-level 100
ip address
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network L3_WLAN
description L3 WLAN 
object network L1_WLAN
description L1 WLAN
object-group network DVNET_Network
network-object object L1_WLAN
network-object object L3_WLAN
access-list http-list2 extended permit tcp any any log
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended deny icmp any any
access-list 101 extended permit ip any any
tcp-map mss-map
pager lines 24
logging enable
logging timestamp
logging asdm debugging
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu work 1400
mtu lab 1400
mtu mgmt 1400
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (lab,outside) source dynamic any interface
nat (work,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic L1_WLAN interface dns
nat (inside,outside) source dynamic L3_WLAN interface dns
access-group 101 in interface outside
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http inside
http lab
http mgmt
http work
http inside
http redirect lab 80
http redirect work 80
http redirect mgmt 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group tpg request dialout pppoe
vpdn group tpg localname jmontes
vpdn group tpg ppp authentication pap
vpdn username jmontes password *****
dhcpd address inside
dhcpd dns interface inside
dhcpd address work
dhcpd dns interface work
dhcpd enable work
dhcpd address lab
dhcpd dns interface lab
dhcpd enable lab
dhcpd address mgmt
dhcpd dns interface mgmt
dhcpd enable mgmt
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list http-list2
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect dns preset_dns_map
policy-map http-map1
class http-map1
  set connection advanced-options mss-map
service-policy global_policy global
service-policy http-map1 interface outside
prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end


Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

add - sysopt connection tcpmss 1300

This should get things going for you.


Cisco Employee

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

Hi Andrew,

Thanks for the reply but have not had any success when I configured it with what you have suggested.  I previously had an entry in there and did some changes to the value but still had issues accessing other web sites.  I will attempt to try it again tonight and see how far I get.



New Member

PMTU-D packet 1420 bytes greater than effective mtu 1396,

Hi Andrew -

I was having the same problem and the fix you recommended worked.

add - sysopt connection tcpmss 1300



CreatePlease login to create content