PIX mtu 1430 ?

James Lasky · ‎12-22-2005

I’m experiencing problems sending fax over ip via crypto tunnel between two PIXes (CISCO PIX 515E).

The strange thing I see is the media mtu 1430 (should be the default 1500) on one of the two pix? Does anybody knows why ?

In the config mtu is 1500:

---

mtu outside 1500

mtu inside 1500

---

interface: outside

Crypto map tag: c_map1, local addr. 192.168.1.1

local ident (addr/mask/prot/port): (voip/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (Voce/255.255.255.0/0/0)

current_peer: 192.168.2.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1635203, #pkts encrypt: 1635203, #pkts digest 1635203

#pkts decaps: 1727409, #pkts decrypt: 1727409, #pkts verify 1727409

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1

path mtu 1430, ipsec overhead 56, media mtu 1430 --------------------------------

current outbound spi: 21de283f

inbound esp sas:

spi: 0xee6027a5(3999279013)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 14, crypto map: c_map1

sa timing: remaining key lifetime (k/sec): (4596072/1276)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x21de283f(568207423)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 13, crypto map: c_map1

sa timing: remaining key lifetime (k/sec): (4600347/1276)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

on the other side media mtu is 1500

interface: outside

Crypto map tag: c_map1, local addr. 192.168.2.1

local ident (addr/mask/prot/port): (Voip/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (Voip/255.255.255.0/0/0)

current_peer: 192.168.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1759930, #pkts encrypt: 1759930, #pkts digest 1759930

#pkts decaps: 1675224, #pkts decrypt: 1675224, #pkts verify 1675224

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1

path mtu 1500, ipsec overhead 56, media mtu 1500 --------------------------------

current outbound spi: 1806609a

inbound esp sas:

spi: 0xd3d05ca3(3553647779)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 6, crypto map: c_map1

sa timing: remaining key lifetime (k/sec): (4607369/28631)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

spremkumar · ‎12-22-2005

Hi

Can you revert whether ur running the same PIX OS code on both these firewalls ??

regds

James Lasky · ‎12-23-2005

Hi

yes there is the same version on both side.

PIX Version 6.3(4)

Tks

Ric

wil_amaya · ‎12-27-2005

Well, the mtu size should normally be left at the default size of 1500. however, when encrypting traffic using IPSec you may want to lower your mtu to something like 1400. The reason is that IPSec encrypts and encapsulates the traffic which results in packet size being higher then 1500 bytes if you leave at the default size of 1500. This means that you are now transmitting two smaller packets instead of one. If you lower to 1400 then the packet, after encryption, will still be under 1500 and can be transmitted as one packet. This is an example of one of those rare instances when one might want to change the default mtu size.

ntwillie1

James Lasky · ‎12-28-2005

Hi

thanks for explaination, but the problem is that I DO NOT state in the config I want the mtu to 1430...

I'm wondering about that...

Ric