Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

PMTU-D packet 1420 bytes greater than effective mtu 1396,

Hi there,

Recently received an ASA5510 for testing and just installed it on my home dsl service.  I can go to certain web sites but on certain sites I can not.  I've followed some of the postings and also this one, http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml.

I had a SonicWALL and a Netscreen firewal before and both of them just worked fine.  I'm no ASA expert so apologies in advance.

ASA Version 8.3(1)
!
hostname asa
domain-name montes.com.au

names
!
interface Ethernet0/0
description external interface
speed 100
duplex full
nameif outside
security-level 0
pppoe client vpdn group tpg
ip address pppoe setroute
!
interface Ethernet0/1
description DV Network
speed 1000
duplex full
nameif inside
security-level 100
ip address 172.28.8.254 255.255.255.0
!
interface Ethernet0/2
description Cisco Virtual Office
speed 100
duplex full
nameif work
security-level 100
ip address 172.28.7.33 255.255.255.224
!
interface Ethernet0/3
description lab & test network
speed 100
duplex full
nameif lab
security-level 100
ip address 172.28.7.30 255.255.255.224
!
interface Management0/0
speed 100
duplex full
nameif mgmt
security-level 100
ip address 172.28.7.129 255.255.255.224
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name montes.com.au
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network L3_WLAN
subnet 172.28.7.160 255.255.255.224
description L3 WLAN 
object network L1_WLAN
subnet 172.28.7.64 255.255.255.224
description L1 WLAN
object-group network DVNET_Network
network-object 172.28.7.0 255.255.255.224
network-object 172.28.7.128 255.255.255.224
network-object 172.28.7.32 255.255.255.224
network-object 172.28.8.0 255.255.255.0
network-object object L1_WLAN
network-object object L3_WLAN
access-list http-list2 extended permit tcp any any log
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended deny icmp any any
access-list 101 extended permit ip any any
!
tcp-map mss-map
!
pager lines 24
logging enable
logging timestamp
logging asdm debugging
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu work 1400
mtu lab 1400
mtu mgmt 1400
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (lab,outside) source dynamic any interface
nat (work,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic L1_WLAN interface dns
nat (inside,outside) source dynamic L3_WLAN interface dns
access-group 101 in interface outside
route inside 172.28.7.64 255.255.255.224 172.28.8.66 1
route inside 172.28.7.160 255.255.255.224 172.28.8.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.28.8.98 255.255.255.255 inside
http 172.28.7.0 255.255.255.224 lab
http 172.28.7.128 255.255.255.224 mgmt
http 172.28.7.32 255.255.255.224 work
http 172.28.8.0 255.255.255.0 inside
http redirect lab 80
http redirect work 80
http redirect mgmt 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group tpg request dialout pppoe
vpdn group tpg localname jmontes
vpdn group tpg ppp authentication pap
vpdn username jmontes password *****
dhcpd address 172.28.8.159-172.28.8.171 inside
dhcpd dns 203.12.160.35 203.12.160.36 interface inside
!
dhcpd address 172.28.7.40-172.28.7.41 work
dhcpd dns 203.12.160.35 203.12.160.36 interface work
dhcpd enable work
!
dhcpd address 172.28.7.5-172.28.7.6 lab
dhcpd dns 203.12.160.35 203.12.160.36 interface lab
dhcpd enable lab
!
dhcpd address 172.28.7.135-172.28.7.136 mgmt
dhcpd dns 203.12.160.35 203.12.160.36 interface mgmt
dhcpd enable mgmt
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list http-list2
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect dns preset_dns_map
policy-map http-map1
class http-map1
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface outside
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:079b0329cbbeff90893706973fbb3369
: end

3 REPLIES

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

add - sysopt connection tcpmss 1300

This should get things going for you.

HTH>

Cisco Employee

Re: PMTU-D packet 1420 bytes greater than effective mtu 1396,

Hi Andrew,

Thanks for the reply but have not had any success when I configured it with what you have suggested.  I previously had an entry in there and did some changes to the value but still had issues accessing other web sites.  I will attempt to try it again tonight and see how far I get.

Regards,

Joe

New Member

PMTU-D packet 1420 bytes greater than effective mtu 1396,

Hi Andrew -

I was having the same problem and the fix you recommended worked.

add - sysopt connection tcpmss 1300

Thanks,

GF

4325
Views
0
Helpful
3
Replies
CreatePlease login to create content