Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
User receives the IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet error message
The IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=1500, eff_mtu = 1444 error message is displayed when the IP Security (IPSec) protocol is used over a lower Maximum Transmission Unit (MTU) link.
End stations perform MTU path discovery to determine the largest size packet that they can send over a link. This is typically 1500 bytes for an Ethernet link. However, when the discovery packets are encrypted, they cannot discover the actual MTU.
In this case, the error message states eff_mtu = 1444 and the MTU appears to be 1444 bytes. However, the client and the server are sending 1500-byte packets (pktsize=1500) over the VPN tunnel. Normally, this is not a problem because the tunnel gateways can fragment the packets before encryption. However, if applications are configured to set the Don't Fragment (DF) bit, then the gateways are not allowed to fragment those packets.
In this case, the PIX Firewall receives a 1500-byte packet and must fragment it to fit the 1444-byte link. However, the PIX cannot fragment the packet because the DF bit has been set by the application. You can use a sniffer program can determine if the DF bit is set for the traffic in question.
Run an MTU program on the client machine or the server to lower the MTU size.