12-22-2005 08:58 AM - edited 02-21-2020 12:36 AM
Im experiencing problems sending fax over ip via crypto tunnel between two PIXes (CISCO PIX 515E).
The strange thing I see is the media mtu 1430 (should be the default 1500) on one of the two pix? Does anybody knows why ?
In the config mtu is 1500:
---
mtu outside 1500
mtu inside 1500
---
interface: outside
Crypto map tag: c_map1, local addr. 192.168.1.1
local ident (addr/mask/prot/port): (voip/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Voce/255.255.255.0/0/0)
current_peer: 192.168.2.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1635203, #pkts encrypt: 1635203, #pkts digest 1635203
#pkts decaps: 1727409, #pkts decrypt: 1727409, #pkts verify 1727409
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1430, ipsec overhead 56, media mtu 1430 --------------------------------
current outbound spi: 21de283f
inbound esp sas:
spi: 0xee6027a5(3999279013)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 14, crypto map: c_map1
sa timing: remaining key lifetime (k/sec): (4596072/1276)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x21de283f(568207423)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 13, crypto map: c_map1
sa timing: remaining key lifetime (k/sec): (4600347/1276)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
on the other side media mtu is 1500
interface: outside
Crypto map tag: c_map1, local addr. 192.168.2.1
local ident (addr/mask/prot/port): (Voip/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Voip/255.255.255.0/0/0)
current_peer: 192.168.1.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1759930, #pkts encrypt: 1759930, #pkts digest 1759930
#pkts decaps: 1675224, #pkts decrypt: 1675224, #pkts verify 1675224
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, ipsec overhead 56, media mtu 1500 --------------------------------
current outbound spi: 1806609a
inbound esp sas:
spi: 0xd3d05ca3(3553647779)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: c_map1
sa timing: remaining key lifetime (k/sec): (4607369/28631)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
12-22-2005 11:47 PM
Hi
Can you revert whether ur running the same PIX OS code on both these firewalls ??
regds
12-23-2005 12:04 AM
Hi
yes there is the same version on both side.
PIX Version 6.3(4)
Tks
Ric
12-27-2005 08:13 PM
Well, the mtu size should normally be left at the default size of 1500. however, when encrypting traffic using IPSec you may want to lower your mtu to something like 1400. The reason is that IPSec encrypts and encapsulates the traffic which results in packet size being higher then 1500 bytes if you leave at the default size of 1500. This means that you are now transmitting two smaller packets instead of one. If you lower to 1400 then the packet, after encryption, will still be under 1500 and can be transmitted as one packet. This is an example of one of those rare instances when one might want to change the default mtu size.
ntwillie1
12-28-2005 12:40 AM
Hi
thanks for explaination, but the problem is that I DO NOT state in the config I want the mtu to 1430...
I'm wondering about that...
Ric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide