Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

MTU MSS DF Bit and Fragmentation

I am running an encrypted link and want to check for and if necessary, remedy fragmentation.

I'm using two connected 6500's with VPN modules.

Using the NAM I sniffed the outbound physical interface and I see packets of various sizes but the biggest is 128bytes even during a massive file transfer. I'm assuming fragmentation but need to be sure.

Using ping I see the biggest packet allowed without fragmentation is 1472.

My primary intent is to first determine if there is a fragmentation issue. If there is I'll probably follow up with questions on which command to use and where to put it. I assume that I would use either the physical outgoing interface(currently MTU=1500) or the inside crypto interface(current MTU=4500)

1. How do I determine if there is a fragmentation issue

2. Which command to use and where?

Any help would be appreciated.


Re: MTU MSS DF Bit and Fragmentation

Issue with large packets that have the don't fragment bit set that become too large with the additional overhead of ipsec.

use command "ip tcp adjust-mss ",TCP MSS (Maximum segment size) sufficiently low enough that the packet isn't fragmented.

you may need to clear the df-bit entirely (it's a less efficient method, but it works). For the router, you can do so via "crypto ipsec df-bit clear".

Try these links for more info:

CreatePlease to create content