Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN and MTU

Hi,

I am crurrently experiencing the following problem:

I have a site to site VPN configured that used to work perfectly. Now suddenly  I am experiencing that the 1st phase of the VPN process comes up but the second phase does not.

When I issue a "debug crypto ipsec" I get the following feedback (for securty reasons I have altered the IP address):

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x4789c6b(75013227) for SA

        from  10.10.197.184 to  10.20.199.114 for prot 3

IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 10.20.199.114, remote= 10.10.197.184,

    local_proxy= 10.11.131.11/255.255.255.255/6/0 (type=1),

    remote_proxy= DOLO_TETE/255.255.255.255/6/7000 (type=1)

IPSEC(key_engine_sa_req): setting timer running retry <2>

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x31782214(829956628) for SA

        from  10.10.197.184 to  10.20.199.114 for prot 3

IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 10.20.199.114, remote= 10.10.197.184,

    local_proxy= 10.11.131.11/255.255.255.255/6/0 (type=1),

    remote_proxy= DOLO_TETE/255.255.255.255/6/7000 (type=1)

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1470> greater than e

ffective mtu 1444

IPSEC(adjust_mtu): decrementing path mtu from 1500 by 0,

  (identity) local= 10.20.199.114, remote= 10.30.72.206,

    local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

    remote_proxy= HQ_Bon/255.255.255.0/0/0 (type=4)

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1470> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=147

0, eff_mtu = 1188

IPSEC(key_engine): reseting mtu to default

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

IPSEC(ipsec_prepare_encap_request): fragmenting, IP packet <1420> greater than e

ffective mtu 1188

IPSEC(ipsec_prepare_encap_request): ERROR: unable to fragment packet pktsize=142

0, eff_mtu = 1188

Note: Their are other VPN tunnels on the same device and they are all working OK. The VPN tunnel that is giving problem is between 2 Pix devices, the only thing that changed is that the internet connectionon on the other site changed from Frame-Relay to Fiber-Optic but this change was done 2 weeks before I start getting this problem.

Everything seems to point that the problem has to do with MTU.

What could be causing the IPSEC(ipsec_prepare_encap_request): ERROR

Regards,

Screech

2 REPLIES
New Member

Re: IPSec VPN and MTU

can u try adjusting mtu to 1440?

New Member

Re: IPSec VPN and MTU

Nomair,

Problem solved. It seems that the reported MTU error did not had anything to do with the 2nd phase of the VPN not coming up. The 2nd phase was not coming up due to a mismatch between the IPSec interesting traffic access-list ( This was discovered in te debug output of the other Pix).

Regards,

Screech

1022
Views
0
Helpful
2
Replies
CreatePlease login to create content