Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client - Pings of 1500 bytes fail?

I have a VPN client setup into a 1700 router. My customer is complaining that they can ping devices on the office LAN however, as they increase the ping size it starts to fail.

Any thoughts?

4 REPLIES
Hall of Fame Super Silver

Re: VPN Client - Pings of 1500 bytes fail?

Andrew

My first thought is that when you send data through a VPN tunnel the processing of IPSec adds extra header information to the packet. The addition of extra headers will make a normal full size (or almost full size) packet too large to fit throgh the tunnel. Unless you have some additional information about the problem I believe that the additional header may explain their problem.

HTH

Rick

New Member

Re: VPN Client - Pings of 1500 bytes fail?

Yes, I beleive that this may well be the problem - are you aware of any way round it? Fragmentation etc?

Hall of Fame Super Silver

Re: VPN Client - Pings of 1500 bytes fail?

Andrew

For TCP based traffic I have found a very effective solution with the ip tcp adjust-mss command which is configured on the LAN interface(s) of the router. This command will cause the end stations to negotiate a mss that is small enough that fragmentation will not be needed. It may take some experimentation to find the optimum value to set to eliminate fragmentation. (The amound of overhead will vary depending on some options within IPSec and whether you are doing GRE with IPSec or IPSec without GRE. I frequently use 1375 in environments using both GRE and IPSec and find that works for us.)

For non-TCP traffic I have seen a solution which uses a route map to identify the IPSec traffic and to turn off the DF bit. This allows the packet to be fragmented as it passes through the IPSec tunnel. I have not used this solution so I can not speak to details of how it works.

HTH

Rick

New Member

Re: VPN Client - Pings of 1500 bytes fail?

Also, if the host is sending the packet with the DF bit set, then route will respond with an ICMP messege to the sending host notifying the host to decrease the packet size. You may have a firewall in place blocking these ICMP messeges from the VPN device.

228
Views
0
Helpful
4
Replies