I have a hub-spoke setup between a central site and 3 Remote sites. IPSec VPN tunnels establish fine and data can pass.....sort of. Any sized UDP packets are routed back-and-forth between the central and remote sites. TCP however causes some serious issues. At the central site they have a number of Intranet servers and Lotus Notes servers which the remote site users need to connect to. Whenever an attempt is made to connect to the servers (either Lotus or Intranet), the "Debug ip icmp" command on the central-site router displays a large number of entries saying that packets are too large and they need fragmenting but the DF bit is set. Initially, I tried changing the IP TCP MSS value on all 4 routers (3 remote, 1 central) to 1400 but this made no difference. I then used a route-map which sets the DF bit to zero for these TCP traffic flows, and again this made no difference.
Even with PATH-MTU-DISCOVERY enabled on all routers (which have full ICMP connectivity between rach other) it makes no difference.
The remote sites don't transmit that much heavy traffic so fragmentation is a possiblity (I am aware of performance issues with fragging).
Has anyone had this problem? And more importantly, can it be sorted ? Also, is there an alternative to fragging ??
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...