I am having poor performance through an IPSec VPN between two Cisco ASA 5505s. In researching, I found some discussion about setting the MTU for the VPN. So from one side of the VPN tunnel, I tried pinging a host on the other side specifying the Don't Fragment flag and testing different packet sizes. I found that a size of 1398 is the largest packet size that results in a successful ping.
So, I also understand that I should be able to set the MTU to 1426 (1398 + 28 bytes for the IP and ICMP headers). What I'm not 100% clear on is where all I need to set this. Do I set the MTU for the outside interface of the ASA that the VPN tunnel is going through, or do I also need to set the MTU for the inside interface, or on the outside interface and the switch port that the interface is connected to (switch port is set to an MTU of 1500 as well)?
My thoughts are that only the outside interface of each ASA needs the lower MTU (currently set at the default of 1500). Could someone give me some guidance on this?
This is because IPSec add additional Headers to the Original Packets, If ping is allowed an you examine such performance, I would recommend decreasing the MTU size of the Outside ASA interface to at least 1392. This attribute is not arbitary, following is the break down of the additional headers:
1- ESP Header: 56 Byte
2- AH : 24 Byte
3- NAT-T (IPsec over UDP): 8 byte
4- IP header: 20 Byte
Total = 108
1500 (Default MTU) - 108 = 1392
Note that if you are using IPsec Ovet TCP, you should subtract 20 Byte instead of 8, so the MTU Size would be 1380 and this is the optimal Size.
You can change the MTU Size of the ASA outside Interface by issuing the following command in the config mode:
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...