Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC VPN - black hole router detected

Having some issues with a vpn between two of my locations.   Both edge devices are ASA's, and the tunnel is an IPSEC tunnel.   Both MTU's are set to 1500 both on inside and outside. (provider mtu setting request is 1514, and both ASA's will be changed out soon.) 

Unfortunately, some exchange/kerberos auth issues are causing me a problem in the remote site.   I perform the tests that microsoft recommends using a length of 1472 on packet ping size, and do not fragment flag (1406 is the largest packet I can push across the vpn)  .   I know part of this is due to the extra overhead that ipsec places on the connection.

I want to refrain from putting the black hole registry workaround on all of the PC's in this remote location.

I've also seen some discussion about manually setting the TCPMSS value down to 1300 on most ASA's.   Has anyone else had this resolve an issue? 

I'm wondering what else I might be missing.

Any help you can provide would be most appreciated.

  • VPN
Cisco Employee

IPSEC VPN - black hole router detected

IPsec will add overhead to packets when they are traversing. With 1406 MTU through the tunnel you can leave your TCP MSS at default 1360.

Kerberos however needs a registry change to use TCP by default, otherwise it will only fallback to TCP if response is too big.

At a glance here's the best way out:

- switching Kerberos to TCP

- lowering MTU of end hosts to 1400

Kerberos is one of the last protocols which is using big UDP packets by default (or at least, one of last of a popular ones).

It's been always the case that it's better to avoid fragmentation than dealing with it.


This widget could not be displayed.