I have a VPN connection across a SDSL 1.5Mbps connection to a Cisco VPN 3030 Concentrator. In front of the concentrator I have WAN gateway routers performing packet filtering and a PIX 525 firewall. The Concentrator sits on the VPN DMZ off of the PIX. The inside of the concentrator connects to the internal network.
My problem is with large ICMP echo packets (i.e. PING). I can ping 32 bytes, 1K, 8K, 16K no problem. At about 20K it starts getting dicey and 32K up to 64K will not go through at all. I was having problems with 16K packets also but I changed the MTU on the Windows servers to 1300 bytes and now the packets are getting through. I made a change on the VPN concentrator on the interfaces, the setting "Public Interface IPSec Fragmentation Policy" is set to "Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission". I changed the setting to "Fragment prior to IPSec encapsulation with Path MTU Discovery (ICMP)" and this made terminal sessions start to fail on VPN sessions that went from one spoke to another.
Does anyone have any idea as to why the large ICMP packets are failing across the VPN.
The tunnel path-mtu-discovery command helps the GRE interface set its IP MTU dynamically, rather than statically with the ip mtu command. It is actually recommended that both commands are used. The ip mtu command is used to provide room for the GRE and IPsec overhead relative to the local physical outgoing interface IP MTU. The tunnel path-mtu-discovery command allows the GRE tunnel IP MTU to be further reduced if there is a lower IP MTU link in the path between the IPsec peers.
Use of 'tcp mss adjust' command . It will solve your problem.
I appreciate your input, in fact I will use it in another scenario. BUT If you read my post I do not have routers (since it appears you are quoting IOS commands) in this VPN solution. This VPN solution is a PIX to VPN 3030 Concentrator. Also this is not a GRE tunnel but a simple IPSEC tunnel.
I changed the setting to "Fragment prior to IPSec encapsulation with Path MTU Discovery (ICMP)" Will only work if you have a PMTUD supported device infront of the concentrator. PIX is one of that device. Try changing the sysopt connection tcpmss 1200 in the pix and keep the same option checkd in the concentrator.
Since you have already changed the MTU on the server your client connections will keep running. With the help of tcp mss in the PIX infront of the conc. hopefully your spoke connections will keep on running also. If they are not, try the mss command in the spoke pix first.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :