Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

MTU Mismatch btw VPN Peers

hello ,

We have a VPN btw ASA and Cisco 871 .This ispsec tunnel is up and functional , i can ping the Devices from both sides without any issues , but when we use Xterm or any other chatt protocl we get kiccked off at times , so when i ran a Test tunnel from SDM , i get a report "A ping with data size of this interface MTU size and " Do not fragment" bit set to other end VPN devie is failing , this may happen if there is alesser MTU network which drops the Do not fragment packets " .

My suspicion is branch office router 871 , which has only this tunnel where are main office ASA has 13 more similar tunnels that are fully funtional .

Things that i have tried ,

changing MTU to 1200 on the Fast ethernet of (where tunnel is terminated on 871 router)

TCP-adjust to 1200

When i ping from a desktop that is behind ASA to with -f -l , last respons i get is at 1272. But on similar test from behind 871 goes without any issues uptill 1400 + .

Community Member

Re: MTU Mismatch btw VPN Peers

partial configuration from 871

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****** address x.y.z.w



crypto ipsec transform-set 3des-set esp-3des esp-md5-hmac

crypto ipsec df-bit clear


crypto map vpn 10 ipsec-isakmp

set peer a.b.c.d

set transform-set 3des-set

match address 102

interface FastEthernet3


interface FastEthernet4

ip address x.y.z.x

ip access-group 100 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

duplex auto

speed auto

crypto map vpn


interface Vlan1

ip address

ip nat inside

ip virtual-reassembly



Any help will be greatly appreciated !!!!

CreatePlease to create content