I've noticed a Router recently with lots of fragmetnation issues, pretty much maxing out the 'ip virtual-reassembly' options. On the interface, which is acting the local peer, we are clearing the DF bit, and the same on the remote peer end.
Currently the 'ip mtu' on the interface is 1310. Now, if you take a IPSec packet which has a maximum of (52) byte header (I believe this is correct), and a new IP header since it's in tunnel mode, which will be needed for Source/Destination IP local peer to remote peer. I"m trying to figure out why all this fragmentation is happening.
If you use the Cisco VPN Client from a machine on this network, we don't see any issues (of course the Cisco VPN Client automatically sets its MTU), which is probably why this is happening.
it looks like we are receiving LOTS of fragmented packets, and is filling up the 'ip virtual-reassmebly' command so to speak. So this leads me to belive, that something is fragmenting packets, I just honestly don't know the best way to go about finding where this is coming from, since Peer to Peer is through te Internet, which obviousl I do not have control off.
I suggest not to clear the DF-bit, it is needed for end-to-end path mtu discovery.
Also you don't need to set the ip mtu parameter, an ipsec security association (or child sa for IKEv2) will automatically calculate the tunnel mtu and handle ip packets accordingly: fragment packets to the maximum tunnel mtu if DF is cleared or discard the packet and send a "packet too big" icmp to the sending host, allowing it to adjust the path mtu.
Allow icmp on th ecomplete ath and don't clear the DF.
PS: I just noticed you set the ip mtu on the "interface, which is acting the local peer" - this will reduce the mtu of the tunnel itself, not the "tunnel payload". The tunnel payload is now 1310 minus the tunnel overhead.
Typically it's TCP-traffic that is using bigger payloads and needs to be fragmented. One solution to solve that is to use the "ip tcp adjust-mss" command to reduce the MSS to a value that fits into the VPN tunnel.
Sent from Cisco Technical Support iPad App
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :