I have http and https running through an ipsec tunnel. http works fine but https does not. our servers always turn the don't frag bit on, we have Solaris running Iplanet and NT with IIS. I ran a trace and when the https packets reach 1453 bytes and the ipsec headers are added the router throws the packets away because they exceed the mtu on the serial interface which has a frame circuit. Can I just increase the mtu size on the serial interface to fix or should I upgrade to 12.2 and use the command to change the df bit?
Actually, when the router drops a packet beacause of DF being set. A ICMP packet is ent by the router to the source. Hearing this ICMP the source will reduce the size of the packet being sent out. It might be a access-list or firewall is blocking this. Allowing this ICMP packets might help.
I fixed similar problem by running GRE with IPsec and using the command "ip mtu 1500" under the tunnel interface. Setup like this causes fragmentation to occur at the interface regardless of the DF bit set in your orginal IP packet.
You can use policy routing (route-maps) to manually set the DF bit to 0. You can use the command "ip tcp adjust-mss 1476" on the LAN interface close to your clients - whenever Cisco releases 12.2(4)T which is supposed to contain it.
Someone has mentioned that when a packet hits the tunnel, an ICMP message gets sent back to the sending host. This is correct, but a lot of networks block ICMP messages at the firewall. This could prevent the communicating hosts from ever knowing there's a problem.
I've also heard from another source that the "ip mtu" command on the tunnel interface causes the physical interface to fragment the encapsulated packet. This seems to violate the RFC I read which states that DF bits are to be propagated up to encapsulating packets. But if it works...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :