I have a scenario with a IPsec tunnel between two 851 routers. The first router have a public IP address and is connected to a cable modem. The second router have a private IP address, and is connected to a GPRS modem with a dynamic private IP address from the service provider.
An IPsec tunnel is established, and the VPN-led on both routers are on. When running a test from SDM, the report says that the tunnel is fine, but that ping is failing due to the MTU size. I have issued the 'crypto ipsec df-bit clear' command to interface fa4 on both routers, but the problem persist. Any suggestions ?
The VPN Client now adjusts the Maximum Transmission Unit (MTU) size. The Set MTU Utility option is no longer a required installation step and has been removed from the Start menu. Use Internet Explorer in order to access the Set MTU Utility option. You can also choose Start > Run, choose Browse, and navigate to the Cisco Systems VPN Client directory.
The VPN client is not a PC, but a Cisco 851 router. The complains about MTU size is from within the SDM on the router. So when the router itself complains, there must be additional configurations to do on the router ?
By sending ping to a DNS server on the internet, I find that the MTU is 1472 through the GPRS (Not through VPN). I have added "ip mtu 1472" on both the WAN interface (fa4) and the LAN interface (VLAN1) on both routers. I have also applied the "ip tcp adjust-mss 1412" on both interfaces on both routers. I have removed the "crypto ipsec df-bit" on all interfaces.
I still get the same message from the VPN test in SDM that the VPN is OK, but the MTU might have a problem (Se attachment). The VPN lamp on both routers are on, but ping, telnet and http through the VPN still fails ?
I guess that making "ip tcp adjust-mss 1300" on interface vlan1 on both routers is just as good as doing it on interfaces fa0 to fa3 ? The command is now applied, but the problem persist. The LAN ip adress of the remote router is 192.168.0.1. I'm not able to telnet or start SDM via my browser over the VPN.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :