Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ftp over ipsec

I have created new IPSec tunnel between branch to branch (1750 to 1750 router) and tested the FTP file transfer.I am able to logon to the FTP server and able to see the files but i could not PUT or GET the the files.Encryption happening for PING and TELNET.ie encryption not working totally between 1750 routers for FTP PUT &GET.

And there is no problem with FTP server because without ipsec,FTP is working fine and also i tested with other FTP server.

both routers are running ospf.

Also we have tried the ftp between central router 3661 and remote router 1750. Routers running IPsec and routing protocol OSPF and . I was able to do ping, telnet and also able to download file from ftp server located at central location. But I am not able to upload the file from remote router 1750 to central router 3661.

What could be the problem.

3 REPLIES
Anonymous
N/A

Re: ftp over ipsec

You are having here some MTU problems.

As the IPSec adds some overhead to the IP packets

the MTU decreases. The router informs the stations sending

1500Bytes packets and DF set via ICMP to decrease

the MTU.

At one end (based on your desription at remote site)

probably the station tries to send packets of 1500 octets size

and ignoes the router ICMP's.

You can control the behavior of DF bit in newer IOS's (12.2.T).

New Member

Re: ftp over ipsec

I think this is an MTU problem.

do this to be sure.

in the router first clear all the SA's

clear crypto sa

then start debugs for isakmp and ipsec

debug crypto ipsec

debug crypto isakmp

term mon

then generate some traffic to initiate the tunnel and look in the debug how many bytes is adding ipsec (ex: esp-des esp-md5-hmac adds 56bytes) if the path MTU is 1500 , you must reset the MTU.

i hope it helps

New Member

Re: ftp over ipsec

I think this is an MTU problem.

do this to be sure.

in the router first clear all the SA's

clear crypto sa

then start debugs for isakmp and ipsec

debug crypto ipsec

debug crypto isakmp

term mon

then generate some traffic to initiate the tunnel and look in the debug how many bytes is adding ipsec (ex: esp-des esp-md5-hmac adds 56bytes) if the path MTU is 1500 , you must reset the MTU.

i hope it helps

172
Views
0
Helpful
3
Replies
CreatePlease login to create content