Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Do i need to increase to MTU size?


I have created a VPN between a remote site and our headoffice

The remote site has a Cisco 877 Router and the HeadOffice has a Cisco 3005 Concentrator.

The VPN i have created is up and running and I can connect to devices at either sides of the VPN.

The problem i am having is, i am planning on rolling out thinclients at the remote site that connects to a terminal server at the headoffice.

When i set up the thinclients, they connect but then disconnect straight away.

I think this is down to the default MTU size being too small but i don't know if i am correct, and also in what interface to change it on.




Re: Do i need to increase to MTU size?


It looks like a MTU issue.

One of the options you could certainly try is to do a crypto map XXXX df-bit clear which will ensure that the IPSEC header is not fragmented.

Another options is to modify the MSS of the packet using ip tcp adjust-mss on the Interface in 877 connecting to your LAN.

Let me know if one of these works

Re: Do i need to increase to MTU size?

Too small? I wouldn't think so.

When adding IPsec encapsulation, or GRE and IPSec encapsulation (our scenario, not yours), you sometimes run into fragmentation issues due to the Path MTU. In these circumstances, you would "decrease" the IP MTU on the appropriate interface to make room for the additional headers (GRE, IPSec).

e.g.: We use "ip mtu 1400" on our GRE tunnel interfaces to avoid fragmentation issues.

Reducing the IP MTU on the interface to an appropriate level means that you don't encounter fragmentation issues during the GRE or IPSec encapsulation processes (during Path MTU Discovery).

You should make sure that Path MTU discovery is enabled on your devices. This command may not show up in your configuration if it is the default:

ip tcp path-mtu-discovery

The "default" IP MTU on your interfaces is not likely to be set too small.

I think you will need to identify another cause. You probably want to use a sniffer to see what is happening on the wire.

CreatePlease to create content