Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX IPSEC MTU

Hi,

I try to make an IPSec connection between an Cisco VPN Client 4.0.1 and PIX 506E v6.3.1. The tunnel is up, but when I try to communicate trough this tunnel, I get an error on PIX:

PMTU-D packet 1240 bytes greater than effective mtu 1236 dest_addr=192.168.105.1, src_addr=192.168.0.185, prot=tcp. The Client and the PIX also are on a DSL line with PPPoE. Do I need to set MTU on PIX? or What can I do to make it good? The VPN client sets the mtu on PC to 1300. The PIX outside mtu is also 1300.

Thank

Eva

2 REPLIES
New Member

Re: PIX IPSEC MTU

Hi!

You might have a DSL problem regarding the MTU size. If you have xDSL Internet access in both ends, try configuring, on the Ethernet of the VPN Client router the next IOS command:

"ip tcp adjust-mss 1236"

Next, with a regular ethernet sniffer, like Ethereal, you can see what is happening.

Regards

New Member

Re: PIX IPSEC MTU

With the client install there is a place to adjust MTU. You can knock it down to 1236 on the client from there. This is Client v 4.0.2(a) - not sure about your version.

There are also utilities/regedits/commands available to do it on your inside devices if necessary.

Also, the message you are getting isn't necessarily that bad. The packets will get resent - fragmented. Where you will really be concerned is if you see a similiar message that indicates the "DF (don't fragment) bit is set" - that data will never make it and MTU's MUST be adjusted.

Hope that helps.

149
Views
0
Helpful
2
Replies
CreatePlease to create content