Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec and ICMP Type 3 (Unreachables)

Does anyone know why ICMP Type 3 (Unreachables) should be permitted for IPSec VPNs?

Thanks!

1 REPLY
Cisco Employee

Re: IPSec and ICMP Type 3 (Unreachables)

Not sure exactly what you're asking here, but I think you're referring to Path MTU Discovery and how it utilises ICMP type 3 code 4 to determine the largest packet that can traverse a specific link. Because IPSec increases the original packet size it's handy to use this to avoid fragmentation of your original packets. Note that these ICMP types should really be allowed everywhere, not just over IPSec links as filtering them will stop PMTUD from working at all.

You can read a little about it here:

http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail

158
Views
0
Helpful
1
Replies