Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

mtu & packet size for ssh & https through vpn


I've been noticing problems with dropped packets in secure protocols through our site-to-site vpns since migrating the central site over from a pix to an isr.  It looks as though packets for protocols such as ssh / https could not be fragmented before transmission down the tunnel and were already too big to accomodate the tunnel overheads within the router interface mtu of 1500.

Could this be the case?

Dropping the mtu to 1400 for the machine initiating the ssh connection at the remote site seems to have solved the problem, but I am wondering why this has only started with the ISR?

I am also seeing very slow throughput in one vpn link from the ISR to an 831 router at a remote site where both routers have an mtu of 1500.  Again this is just since the pix was swapped with the ISR.  I've dropped encryption down to basic des / md5 and I've cleared a lot of old unused lines out of the acls which has doubled the throughput to ~ 500Kbps, but this is still not the performance we were seeing previously.  The processor on the 831 is also getting hammered and is generally ~ 72% when the throughput is 500Kbps (onboard hardware encryption enabled).  There also may be a bug in the IOS version on the 831 as the ip mtu nnnn & ip tcp adjust-mss nnnn can be entered but don't stick for eth0.

Sorry about the length of this post and the number of questions, but would appreciate any comments.


New Member

Re: mtu & packet size for ssh & https through vpn


It looks like you've answered most of your own questions and a review of your code versions and the capability of the devices onsite may need to be reviewed in terms of requirements and throughput. You identify that the key difference is the ISR and the fix was to set the mtu on the host machine. In an effort to understand what your seeing sent and what's received then I'd recommend that you look to implementing a wire trace if viable at each end. Smells of tcp auto-tuning but that would be shooting from the hip.


Sent from Cisco Technical Support iPad App