Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

MTU problems with Cisco IPsec and NAT traversal

Hi,

At the moment I'm having trouble with MTU using NAT traversal and LAN-to-LAN VPN tunnel. For example it isn't possible to send out ICMP packets with a size between 1450 to 1500 bytes. This will run Lotus Notes and Windows 2000 active directory replication into problems.

Resetting the DF bit helps in some occasions but not in all. Rerouting the traffic accross a loopback interface with a smaller MTU doesn't help either. I've tried several IOS releases but in vain.

The equipment I'm using are: Cisco VPN3030 concentrator and Cisco 1721 routers.

Anyone has any idea?

Thanks in advance!

Jurrien

4 REPLIES
New Member

Re: MTU problems with Cisco IPsec and NAT traversal

Have you got (or tried) a ip tcp adjust-mss 1452 or ip adjust-mss 1452?

Play with the size, and I don't remember which version of that command is correct for a 1721. Also, are you running 12.3? I had some serious PMTUD issues with site-to-site GRE over IPSec, and simply rolled back to 12.2 as I didn't have the time to properly troubleshoot.

New Member

Re: MTU problems with Cisco IPsec and NAT traversal

According to the website http://www.dslreports.com/tweaks the connection had a low send and receive MTU. After upgrading the ADSL modem/router the MTU got higher.

I've added ip tcp adjust-mss 1300 to the LAN internal ethernet card and ip mtu 1300 to the external ethernet card connected to the ADSL modem/router. The DF bit will not be cleared anymore.

Now the problem seems to be disappeared: after almost 24 hours I have no stalled connections to external Lotus Notes servers anymore.

The 1721 is running IOS version 12.2-15T.

Thanks,

Jurrien

New Member

Re: MTU problems with Cisco IPsec and NAT traversal

Global config mode

crypto ipsec df-bit clear

should do the trick, if it's the same problem I had yesterday.

New Member

Re: MTU problems with Cisco IPsec and NAT traversal

Thanks, last week I've tried this command too and it worked. You can see with "show ip traffic" that the numbers of "couldn't fragment" packets is not increasing anymore.

879
Views
5
Helpful
4
Replies
CreatePlease to create content