Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

User receives the IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet error message

Core issue

The IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=1500, eff_mtu = 1444 error message is displayed when the IP Security (IPSec) protocol is used over a lower Maximum Transmission Unit (MTU) link. 

End stations perform MTU path discovery to determine the largest size packet that they can send over a link. This is typically 1500 bytes for an Ethernet link. However, when the discovery packets are encrypted, they cannot discover the actual MTU.

In this case, the error message states eff_mtu = 1444 and the MTU appears to be 1444 bytes. However, the client and the server are sending 1500-byte packets (pktsize=1500) over the VPN tunnel. Normally, this is not a problem because the tunnel gateways can fragment the packets before encryption. However, if applications are configured to set the Don't Fragment (DF) bit, then the gateways are not allowed to fragment those packets.


In this case, the PIX Firewall receives a 1500-byte packet and must fragment it to fit the 1444-byte link. However, the PIX cannot fragment the packet because the DF bit has been set by the application. You can use a sniffer program can determine if the DF bit is set for the traffic in question.


Run an MTU program on the client machine or the server to lower the MTU size.

For information on how to change the MTU size, refer to the Downloading the Dr. TCP Utility section of Troubleshooting MTU Size in PPPoE Dialin Connectivity.

For more information, refer to these documents:

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 03:39 PM
Updated by:
Labels (1)