Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

udp packet size without pmtud

in an environment where I cannot guarantee that pmtud works (firewalls blocking all icmp etc.) how can I make sure large udp packets like snmp replies go through IPsec, GRE and encrypted GRE tunnels?

ovt Bronze

Re: udp packet size without pmtud

1. Clear the DF bit on the original packets, so they'll be fragmented:

route-map clear-df permit 10

match ip address 101

set ip df 0

interface fa0/0 ! LAN - ingress intf

ip policy route-map clear-df

This should work for all scenarios. IPSec does copy the DF-bit to the outer IP header from the original packet, GRE - doesn't - it sets it to 0 by default.

2. Clear the DF on the original packet, then fragment and ESP-encapsulate it. Then copy the DF-bit to the new IP header (will be 0). Should work for pure IPSec:

interface serial 0/0 ! IPSec intf

crypto ipsec df-bit clear

3. Use this:

int tunnel 0

ip mtu 1400

Should work for IPSec+GRE. The original packet will be fragmented (if it has DF=0) then GRE encapsulated (DF set to 0) then IPSec-encapsulated (DF copied = 0). If the original packet has DF=1 - clear it as per above.

4. Lower the MTU on the client, like Cisco VPN client does.


New Member

Re: udp packet size without pmtud

Thanks for your reply. I already did more or less what you proposed, only I configured the "fragment-befor" option just to make sure the original payload is fragmented, and not the IPsec encapsulated packet. Seems to be a default value, though, as it doesn't turn up in the config.

My concern is to avoid fragmentation completely so as not to reduce my IPsec throughput (hardware instead of CPU processing), but due to the UDP protocol features it seems I cannot avoid it completely.

Thanks a lot for your support.