Cisco Support Community
Community Member

PIX to PIX VPN and MTU settings

We have finally resolved the issue of users login times taking about 6-7 minutes across the site to site VPN by adding the following registry entry to each client:



So do I understand it correctly that there is no other resolution for packet defragmentation problems such as this?


Re: PIX to PIX VPN and MTU settings

The problem of long delays while logging in to a Kerberos Active Directory are discussed in bug CSCdu88694. The workaround is to set up Kerberos to use TCP instead of UDP.

Community Member

Re: PIX to PIX VPN and MTU settings

I had a similar problem and posted a similar question a few days ago.

What i discovered is that when pc's log on to a windwows domain over a wan connection (whether or not it is a vpn connection) it uses kerberos with UDP to authenticate to the server. However the udp packets may exceed the mtu.

It also pings the sverer with an icmp packet of 2048 bytes. When it receives a reply to the packet it does a calculation based on the size of the packet and the response time in order to determine whether the pc is logging on over a slow link.

Kerberos causes problems with the logon time which for me was between 10-15 minutes. The ping causes group policies to not be applied.

I had to make the necessary MaxPAcketSize change.This allowed me to logon quicker but group policies were not applying.

Both of these issues indicated a fragmentation problem. So i suggest do the following:

1) Allow icmp on all interface on both pix's

2) run a debug icmp trace on both firewalls

3) ping an internet host, such as with the following command ping -f -l 1472, if this works it means the lowest mtu between you and is 1500. Then try a higher value, you should receive a "Fragmentation required but DF flag set". This tests whether PMTU is able to discover MTU's properly. If this is successful go to step 4

4) From one side of the tunnel ping a pc on the other side with the following command. ping -l 2048

If you get a reply, there isn't a fragmentation problem. However if you get a "Reuest timed out" like i did then it indicates the firewall is not hadnling large packets properly.

My resolution was to set the MTU of the outside interfaces of both pix's to 1492, Pings work now, logons work, my client is happy but i am waiting for a response to my post to find out WHY??

Hope this helps

CreatePlease to create content