Solved: Test MTU Size Over IPSEC Tunnel

jtmullis82 · ‎08-17-2010

How can I test the MTU size going over a IPSEC tunnel from a ASA 5520 to a ASA 5510? I am having concerns that the issues with my equipment are due to insufficient MTU size.

manish arora · ‎08-17-2010

You can use extended ping to see the size of packet that you can send over the tunnel with DF bit

set do not fragment. for ex :-

if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.

ping from 10.2.2.10 using :-

ping 10.3.3.10

reply success

ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }

packet needs to be fragmentated but df set

ping 10.3.3.10 -l 1300 -f

packets needs fragmentation but df set

ping 10.3.3.10 -l 1270 -f

reply success

thanks

manish

View solution in original post

manish arora · ‎08-17-2010

You can use extended ping to see the size of packet that you can send over the tunnel with DF bit

set do not fragment. for ex :-

if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.

ping from 10.2.2.10 using :-

ping 10.3.3.10

reply success

ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }

packet needs to be fragmentated but df set

ping 10.3.3.10 -l 1300 -f

packets needs fragmentation but df set

ping 10.3.3.10 -l 1270 -f

reply success

thanks

manish