Cisco Support Community

Unable to pass large packets through the site-to-site VPN tunnel, IPSec, with the routers and the PIX 500 Series Firewall

Core issue

This issue can result from these situations:

  • FTP traffic does not get across the tunnel.
  • Files larger than 1K are not able to go through the tunnel.
  • The remote desktop session does not come up for remote machines on the far end.


The VPN tunnel is established and pinging is functional. But, applications that use large packets such as File Transfer Protocol (FTP), Remote desktop Protocol (RDP) or Structured Query Language (SQL) do not work.
The problem is related to either of these issues:
  • Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
  • Fragmentation policy during encryption

Complete these steps in order to resolve this issue:
  1. Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.

    You can also use the ping test:

    ping  -l   1400 -f is the IP address of the remote machine.

  2. Continue to reduce the value of 1400 by 20 until there is a reply.

    Note: The magical value, which works in most instances, is 1300.
  3. After the appropriate maximum segment size is acheived, adjust it appropriately for the devices in use:

    On the Router:

    ip tcp adjust-mss 1300

    On the PIX Firewall:

    sysopt connection tcpmss 1300

    Note: If this does not resolve the issue on the router, issue the crypto ipsec df-bit clear command in orto set the Don't Fragment (DF) bit for the encapsulating header in tunnel mode on all interfaces. This also helps to resolve most of the application issues with IPSec over Generic Router Encapsulation (GRE) tunnel interfaces.

Refer to these documents for more illustrative information on fragmentation and MSS: