I have a Cisco 877 at a remote site connected to an ASA over an IPSec VPN (AES-256/sha/pre-shared key) and have just used the "test vpn connection" option on the SDM of a Cisco 877.
It says the tunnel is fine but recommends I add the "crypto ipsec df-bit clear" command, however I did add it to the dialer 1 interface of the 877 and ran the test again, but it still says I need to add it.
What interface is this or do I need to add it to the ASA somewhere instead?
I haven't used SDM and hence, can't comment on which interface does it want you to clear the df-bit but dialer interface sounds logical to me. You can configure the 'crypto ipsec df-bit clear' command in the global configuration mode and this would apply this setting to all interfaces and try the test.
Just added it to the global config an on the Cisco 877 and it still says I need to add it. Could it be the ASA side?
You can try adding the command to the ASA. Are you having problems sending data through the L2L VPN tunnel. I have found the 'ip tcp adjust-mss 1440' command to be very helpful is addressing MTU problems over IPSEC connections. Configure this command under the LAN facing interface on the 877 and check your connection between the hosts on the LAN instead of using the SDM to test.
It all seems to be fine, but the SDM recommends this after doing a test of the tunnel.
Should I add that to the global config of the ASA?
I've added 'ip tcp adjust-mss 1440' tot he VLAN 1 of the 877.
When I do it's ask what interface:
ASA5520(config)# crypto ipsec df-bit clear ?
configure mode commands/options:
Current available interface(s):
DMZ1 Name of interface GigabitEthernet0/2.6
inside Name of interface GigabitEthernet0/1
management Name of interface Management0/0
outside Name of interface GigabitEthernet0/0
Would it just be the outside?
I wouldn't worry about it. Especially, since your VPN tunnel seems to be up and passing traffic and users aren't having any problems.