«

Hi, all

I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS =
V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).

What is the MTU value for them ?

Do I set also the ISP Router for the same value of these PIXes ?

Thank you
Benson

In article < .com>, writes:
>Hi, all
>
>I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS =
>V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).
>
>What is the MTU value for them ?
>
>Do I set also the ISP Router for the same value of these PIXes ?

The default MTU size for standard ethernet interfaces is usually 1500. So
usually there is no need to worry about that. For better performance,
especially if you have traffic that uses large packets, it might be useful to
increase the MTU size. But this does only help if all network components along
the way have the same or a larger MTU size, otherwise the packet will be
fragmented somewhere along the way.

Now as to VPN: an IP packet with a size of 1500 that is encoded in a VPN packet
results is a somewhat larger packet size, eg. 1625 or so. This will then result
in fragmentation which in turn causes trouble when decoding the packet. But the
Pixen should take care of that if they are the endpoints of the tunnel.

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html

In article < .com>,
<> wrote:
:I have set up a VPN tunnel with two PIXes; one is ( PIX515E, IOS =
:V6.3(3) ) and the other partner ( PIX506E, IOS = V6.3 (4)).

:What is the MTU value for them ?

See the 'sysopt connection tcpmss' option. It works in conjunction
with the MTU: the MTU sets the maximum size of the *encapsulating*
packets, and tcpmss effectively sets the maximum amount of TCP data that
the PIX will try to pack into one encapsulating packet -- with the
remainder of the room then available for the encryption and
authentication headers and encapsulation layering.

o I set also the ISP Router for the same value of these PIXes ?

The ISP router should be the same MTU as the PIX.

Note: if you happen to be using PPPoE on the outside interface
of your router, reduce both MTUs by 8 bytes to allow for the PPPoE
overhead.
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001