Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
ryancisco01
ryancisco01
Community Member
‎07-31-2014 08:21 PM
‎07-31-2014 08:21 PM

MTU on source host breaks connections to remote server

Hi guys, heres my issue:

 

2 different servers at the remote site. Both different applications running on them. (web/rdp + others)

 

Cisco router doing an IPsec p2p tunnel

 

then here at the local side. if my MTU is set lower than 1300 I can connect to both remote hosts via https and rdp.

If my MTU is set to 1500, I cannot connect to either host via any application. I can still ping the hosts and I can still telnet on the open ports.

 

Not sure if its related to the VPN, I have the wireshark captures if it helps. a PC on the remote side can connect fine at any MTU size.

 

http://www.filedropper.com/mtuof1300

http://www.filedropper.com/mtuof1500

Labels:
0 Helpful
Reply
4 REPLIES
Dinesh Moudgil
Dinesh Moudgil Cisco Employee
Cisco Employee
‎08-01-2014 05:22 AM
‎08-01-2014 05:22 AM

Hi Ryan, If the transit path

Hi Ryan,

 

If the transit path is doing fragmentation , then you would surely need to make sure you are using the optimum MTU to pass the traffic across VPN properly.
You can follow this document to find out the optimum MTU which will allow stable communication across VPN tunnel.

 

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

0 Helpful
Reply
nkarthikeyan
nkarthikeyan Gold
Gold
‎08-01-2014 05:33 AM
‎08-01-2014 05:33 AM

Hi Ryan, Default MTU value

Hi Ryan,

 

Default MTU value set on ASA is 1500.... it can allow the maximum of 1500 bytes per unit...

So it is advised to keep the lesser MTU on the transmission segments..... but here we need to check the devices in that path... it shouldn't change the MTU value in between.....

 

I do see at one capture MTU value from the server is with 1312, where you set 1300...

I do see at another capture with a maximum value of app data with 1286 bytes...

I believe the intermediate device is modifying the packet length and there it is getting dropped....

 

Regards

Karthik

0 Helpful
Reply
ryancisco01
ryancisco01
Community Member
‎08-03-2014 04:51 PM
‎08-03-2014 04:51 PM

do you know an explanation,

do you know an explanation, for this, I see it to most of my devices.

 

from my PC, with an MTU set of 1500 I can ping my default gateway with a max size of 1400. (with df set)

from the default gateway pinging back to the PC I can ping with a size of 1500 with df set.

 

I am seeing this behaviour everywhere, seems the direction of the ping, even on the same path makes a big difference.

0 Helpful
Reply
ryancisco01
ryancisco01
Community Member
‎08-03-2014 03:25 PM
‎08-03-2014 03:25 PM

Hi i think the file host has

Hi i think the file host has died, so here are new links with captures:

 

http://kdn.co.nz/ftpaccess/mtuof1500.pcapng

http://kdn.co.nz/ftpaccess/mtuof1300.pcapng

 

I have done some MTU tracing, all interfaces are running at 1500. However I do get some strange results with df pings getting dropped well below 1300 at certain points. What could be the cause of this? I don't understand how a smaller MTU would work where a larger one fails. what sort of device might muck around with packet sizes?

0 Helpful
Reply
Latest Documents
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
Firepower Threat Defense (NGFWv) on UCS E-Series blade on ISR 4K - Routed Mode in HA
Created by Kureli Sankar on 11-12-2017 09:26 PM
0
5
0
5
Documentation UCS E-Series Configuration Guide: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide.html Cisco UCS E-Series Getting Started Guide: https://www.cisco.com/c/en/us/td/docs/unified_computing/... view more
All Documents
228
Views
0
Helpful
4
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs