cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
7
Helpful
3
Replies

IPSec and Fragmentation

JohnTylerPearce
Level 7
Level 7

I've noticed a Router recently with lots of fragmetnation issues, pretty much maxing out the 'ip virtual-reassembly' options. On the interface, which is acting  the local peer, we are clearing the DF bit, and the same on the remote peer end.

Currently the 'ip mtu' on the interface is 1310. Now, if you take a IPSec packet which has a maximum of (52) byte header (I believe this is correct), and a new IP header since it's in tunnel mode, which will be needed for Source/Destination IP local peer to remote peer. I"m trying to figure out why all this fragmentation is happening.

If you use the Cisco VPN Client from a machine on this network, we don't see any issues (of course the Cisco VPN Client automatically sets its MTU), which is probably why this is happening.

it looks like we are receiving LOTS of fragmented packets, and is filling up the 'ip virtual-reassmebly' command so to speak. So this leads me to belive, that something is fragmenting packets, I just honestly don't know the best way to go about finding where this is coming from, since Peer to Peer is through te Internet, which obviousl I do not have control off.

3 Replies 3

m.kafka
Level 4
Level 4

I suggest not to clear the DF-bit, it is needed for end-to-end path mtu discovery.

Also you don't need to set the ip mtu parameter, an ipsec security association (or child sa for IKEv2) will automatically calculate the tunnel mtu and handle ip packets accordingly: fragment packets to the maximum tunnel mtu if DF is cleared or discard the packet and send a "packet too big" icmp to the sending host, allowing it to adjust the path mtu.

Allow icmp on th ecomplete ath and don't clear the DF.

Rgds,

MiKa

PS: I just noticed you set the ip mtu on the "interface, which is acting  the local peer" - this will reduce the mtu of the tunnel itself, not the "tunnel payload". The tunnel payload is now 1310 minus the tunnel overhead.

Typically it's TCP-traffic that is using bigger payloads and needs to be fragmented. One solution to solve that is to use the "ip tcp adjust-mss" command to reduce the MSS to a value that fits into the VPN tunnel.


Sent from Cisco Technical Support iPad App

So what I"m getting out of this is....

1) I don't need to manually set the 'ip mtu' parameter, the IPSec will automatically calculate the tunnel mtu and handle ip packets accordingly (IKEv1).

1.1) Fragment packets to the maximum 'tunnel mtu' if DF is cleared

1.2) Or discard the packet and send an ICMP "Packet too big" tot he sending host, which will allow that tunnel

        adjust the path mtu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: