Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
3
Replies

VPN fragmentation and MTU

rj.remien
Level 1
Level 1

‎12-20-2002 12:17 PM - edited ‎02-21-2020 12:14 PM

I have 3 remote 1721 routers terminating at a central Hub Pix 515. I am running debug ip icmp and seeing the syslog message ICMP: dst (x.x.x.x) frag. needed and DF set unreachable sent to x.x.x.x. I see at least 4 to 5 of these messages an hour per remote site. I have lowered the mtu on all the remote routers to 1444 (I am running IPSEC only - I have read it can use 56 bytes of overhead by itself?). When I lower the PIX mtu to 1444, you can ping from the remote sites but cannot successfully connect to any app servers at the hub site behind the Pix. I have 4 questions regarding this scenario

1. When lowering the mtu on your vpn devices, should they be all the same number? (Assuning all interfaces are Ethernet)

2. Should all the interfaces on all the devices between the two routers along the vpn path have the same mtu as the termination endpoints? (So an Intenet router that is between the Hub Pix and the remote router, both e0 and s0 have the same lowered mtus)?

3. If I am seeing this message 4 times an hour per remote site, is there a lot of fragmentation happening?

4. To utimately improve performace, does the mtu need to be set on each workstation behind the remote vpn device and on the app server at the hub site?

I have read the link, IP Fragmentation and PMTUD which is a good resource, but I wanted someone's opinion/experience on this.

Thanks,

RJ

Labels:
0 Helpful
3 Replies 3

jfrahim
Level 5
Level 5

‎12-23-2002 11:21 AM

Hi RJ,

See inline comments

Jazib

1. When lowering the mtu on your vpn devices, should they be all the same number? (Assuning all interfaces are Ethernet)

Jazib>> You should not change the MTU size on the VPN deives unless you have to for some reason. If you change the MTU on the servers and then you change the MTU on the VPN devices, you kind of defeat the purpose of changing the MTU on the servers

2. Should all the interfaces on all the devices between the two routers along the vpn path have the same mtu as the termination endpoints? (So an Intenet router that is between the Hub Pix and the remote router, both e0 and s0 have the same lowered mtus)?

Jazib>> Once again, Changing the MTU on the VPN devices does not make sense. Similarly, you don't really want to change the MTU on the routers in the path of the IPSec tunnel

3. If I am seeing this message 4 times an hour per remote site, is there a lot of fragmentation happening?

Router rate limit the icmp messages. It is possible that your router is sending more icmp messages than what you see. Plus, the number of fragmentation messages depends on the amount of traffic you are sending over the tunnel. If you are only sending 10 packets / hr, then getting 4 icmp/hr is a lot. But if you are sending 4megs/hr, then it does not seem a lot

4. To utimately improve performace, does the mtu need to be set on each workstation behind the remote vpn device and on the app server at the hub site?

This is one of the ways to improve the performance. If you have a cisco router between the servers and the VPN device, then you can try setting a lower MTU on that router as well

Jazib

0 Helpful

rj.remien
Level 1
Level 1
In response to jfrahim

‎12-23-2002 11:39 AM

1. If I do not lower the mtu on the interfaces that have crypto maps applied, then the vpn routers will continually try to send packets over 1500 because of the overhead of IPsec, right?

2. I have noticed when running "debug ip icmp" on my vpn router, and I am trying to read email across the VPN, it is intermittently freezing while I am scrolling through messages in my inbox. During the freezing time, I see in my syslog server, the message of ICMP: dst (mail server IP) frag. needed and DF set unreachable sent to (Outlook client IP). So, fragmentation is happening which is causing a slow down. Is there anything I can do about this? Or is this possible intermediate Internet router problems along my VPN path?

Thanks,

RJ

0 Helpful

jfrahim
Level 5
Level 5
In response to rj.remien

‎12-23-2002 04:08 PM

1. If I do not lower the mtu on the interfaces that have crypto maps applied, then the vpn routers will continually try to send packets over 1500 because of the overhead of IPsec, right?

Jazib >> If the incoming packets ( packets coming from the PCs to the VPN router) had DF bit set, then the VPN router would drop those packets. And in that case, you will see icmp messages

2. I have noticed when running "debug ip icmp" on my vpn router, and I am trying to read email across the VPN, it is intermittently freezing while I am scrolling through messages in my inbox. During the freezing time, I see in my syslog server, the message of ICMP: dst (mail server IP) frag. needed and DF set unreachable sent to (Outlook client IP). So, fragmentation is happening which is causing a slow down. Is there anything I can do about this? Or is this possible intermediate Internet router problems along my VPN path?

Jazib>> In that case, you are have a few options:

a) set a lower MTU on the client and on the server

b) Set a lower outbound MTU to a router which is before the VPN router

c) Configure the router to clear the DF bit when the VPN router receives a packet with DF bit set

Hope that helps

Jazib

0 Helpful
Customers Also Viewed These Support Documents