Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
1
Replies

PIX: VPN-Tunnel across small MTU link

grischast
Level 1
Level 1

‎07-14-2009 06:18 AM

Dear all

I have a problem with a customer who is not able to send traffic through his VPN tunnels when a link with reduced MTU is involved.

Normally Everything works fine when the connection

LAN<--->PIX<--->R1<--->Internet

with MTU 1500 on all links is used.

But in case of failure of this connection we use another way automatically:

LAN<--->PIX<--->R2<--(mtu 1460)-->Internet

And in this case, the VPN tunnels come up, but the applications are facing problems of course.

The PIX 506 is version Ver 6.3(5) and handles static site-to-site VPN session to different kinds of VPN-equipement.

My questions:

1. Is it possible to solve this problem entirely with proper configuration of the PIX alone?

2. If so, how exactly is one supposed to configure the PIX?

3. If not, what exactly is best practice to deal with this and make the tunnels work?

My customer knows already e.g.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

and tried a lot of things including the reduction of the MTU of the computer in the LAN itself.

Any hint is really appreciated.

Regards,

Grischa

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎07-21-2009 07:26 AM

Hi Grischa,

Try setting the MSS to a lower valye on both sides of the tunnel, on your pix you would use "sysopt connection tcpmss XXXX" I usually use 1300 but in your case you might need to set it lower. On your router if any, you need to use ip tcp adjust-mss XXXX" it will also help to enable fragmentaiton for the tunnel, which in the pix is supposed to be enabled by default and if a router is a vpn headend you would need to set "crypto ipsec df-bit clear"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents