Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC and the DF bit

I have http and https running through an ipsec tunnel. http works fine but https does not. our servers always turn the don't frag bit on, we have Solaris running Iplanet and NT with IIS. I ran a trace and when the https packets reach 1453 bytes and the ipsec headers are added the router throws the packets away because they exceed the mtu on the serial interface which has a frame circuit. Can I just increase the mtu size on the serial interface to fix or should I upgrade to 12.2 and use the command to change the df bit?

5 REPLIES
New Member

Re: IPSEC and the DF bit

I would suggest upgrading the IOS - it doesn't say in your message where in the network fragmentation is taking place... channging the MTU on both

ends of one serial link may not change matters if

the fragmentation is taking place elsewhere...

-Rakesh

New Member

Re: IPSEC and the DF bit

Actually, when the router drops a packet beacause of DF being set. A ICMP packet is ent by the router to the source. Hearing this ICMP the source will reduce the size of the packet being sent out. It might be a access-list or firewall is blocking this. Allowing this ICMP packets might help.

New Member

Re: IPSEC and the DF bit

I fixed similar problem by running GRE with IPsec and using the command "ip mtu 1500" under the tunnel interface. Setup like this causes fragmentation to occur at the interface regardless of the DF bit set in your orginal IP packet.

Thx

New Member

Re: IPSEC and the DF bit

It seems i have the same proplem.

Do you know what should be the problem?

I mean upgrading the IOS or changing the MTU size?

New Member

Re: IPSEC and the DF bit

There are various ways you can solve it.

You can use policy routing (route-maps) to manually set the DF bit to 0. You can use the command "ip tcp adjust-mss 1476" on the LAN interface close to your clients - whenever Cisco releases 12.2(4)T which is supposed to contain it.

Someone has mentioned that when a packet hits the tunnel, an ICMP message gets sent back to the sending host. This is correct, but a lot of networks block ICMP messages at the firewall. This could prevent the communicating hosts from ever knowing there's a problem.

I've also heard from another source that the "ip mtu" command on the tunnel interface causes the physical interface to fragment the encapsulated packet. This seems to violate the RFC I read which states that DF bits are to be propagated up to encapsulating packets. But if it works...

So choose your weapon.

176
Views
0
Helpful
5
Replies
CreatePlease to create content