Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4439
Views
0
Helpful
17
Replies

Weird MTU issue

trey.thompson
Level 1
Level 1

‎08-29-2009 06:38 AM - edited ‎03-04-2019 05:53 AM

We're having a somewhat strange issue with MTU. We have a 50Mbps ethernet handoff from our provider (which, apparently, comes off of a fiber ring) which terminates directly on our ASA 5510. Speed and duplex are set to 100/full on both sides. The MTU for the outside interface is set to 1500 and our provider reports that the MTU on their router is set to 2450. From a consumer-class DSL connection at my home, I show the path MTU to the provider's router as 1500, which is expected. However, the path MTU to my ASA drops to 1020, which, theoretically, is only one hop back from the ISP's router. From inside the LAN behind the ASA, the path MTU to any site on the Internet is 1020, but the path MTU to anywhere on my LAN is 1500. We have noticed some latency to Internet sites which makes me wonder about packet fragmentation. Also, we have been testing a video conference unit that streams HD video using UDP packets and we are seeing a lot of loss. I'm wondering if the MTU change is part of the equation with the streaming as well. Any thoughts or places to check would be very much appreciated. Thanks!

Labels:
0 Helpful
17 Replies 17

f-cagica
Level 1
Level 1
In response to lgijssel

‎07-25-2011 04:34 AM

Leo,

icmp is already allowed in my case... I can ping the outside interface with packet size till 1020byte. Abobe 1020byte packet size it doesn't answer anymore.

Thanks

Fernando

0 Helpful

lgijssel
Level 9
Level 9
In response to f-cagica

‎07-25-2011 01:39 PM

Hi Fernando,

This is presumably an Internet connection?

Are both sides of the VPN connected to the same ISP? If yes, then please contact them.

Otherwise, try to establish the path using tools like ping and tracrt, and determine where the traffic is dropped.

This is most likely not on the ASA's. The resolution method is already described in this thread.

Be sure to test properly and verify your results via several methods.

You will not be the first one to be tricked by a tool which is misinterpreted or simply provides incorrect information.

regards,

Leo

0 Helpful

f-cagica
Level 1
Level 1
In response to lgijssel

‎07-25-2011 03:23 PM

Hi Leo,

i guess my description was not accurate... It is a connection between two site susing a service provider. The connection is done at layer 2 (the SP uses some Optical P2P link). When i ping the neighbor Firewall with packets bigger than 1020bytes they are not answered. I also thought it could be some problem in the Optical link (as i don't know was lays there in the middle), but then i cheched the Interface counters on the receiving FW, and noticed that the Drop counters increase with my long Pings... so either the optical equipment introduces some error on packets bigger than 1020bytes or the interface doesn't like the size. What do you think? When i saw this tread, i started blaming the FW.

Br,

Fernando

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card