Fragmentation issues with site-to-site VPN

Discussion in 'Cisco' started by Dan24, Jul 2, 2009.

  1. Dan24

    Dan24 Guest

    Hi,

    I'm trying to set up a tunnel between a Checkpoint Safe@Office 500
    device to a Cisco 837 router. I've used SDM to set up the tunnel and
    everything seemed to work and ping shows that the connection is
    stable. But I then noticed the connection is very slow and several
    services complained of connection failures. Running the test in SDM, I
    get the following output:
    "A ping with data size of this VPN interface MTU size and 'Do not
    Fragment' bit set to the other end VPN device is failing. This may
    happen if there is a lesser MTU network which drops the 'Do not
    fragment' packets."
    SDM also suggests I can use crypto ipsec df-bit clear to resolve this.
    I tried lowering the MTU on the Cisco (issued ip mtu 1400 on the
    Dialer0 interface) and also tried lowering the MTU on the Checkpoint
    device but no still no success.

    Although I'm a software developer I'm not very familiar with CLI so
    please don't be brief if you suggest making any changes on the
    Cisco ;)
    Here's the current config:
    http://pastebin.com/m6785596

    Thanks in advance,

    Dan
     
    Dan24, Jul 2, 2009
    #1
    1. Advertising

  2. Dan24

    Thrill5 Guest

    MTU issues on tunnels can be tricky to diagnose but you have already gotten
    past this hurdle. The problem is that MTU on a TCP connection is
    negotiated with the end-points of the connections and is usually 1500 bytes
    (the MTU of and Ethernet network) without any regard of the MTU along the
    path. If the MTU of a path in the middle of the connection is less than
    this, then packets are dropped if the df bit (do-not fragment bit) is set.
    The end-points can figure out that the MTU of the path in the is lower than
    the end-points using MTU path discovery, but this needs to be supported (or
    enabled) on the endpoints. A tunnel puts and IP packet within an IP packet,
    so the MTU of the inner packet is 20 bytes smaller than the MTU of the outer
    packet. Lowering the MTU on interface doesn't fix the problem. Enabling
    "df-bit clear" will fix the problem because it will fragment the packets
    even if the do-not-fragment bit is set.

    "Dan24" <> wrote in message
    news:...
    > Hi,
    >
    > I'm trying to set up a tunnel between a Checkpoint Safe@Office 500
    > device to a Cisco 837 router. I've used SDM to set up the tunnel and
    > everything seemed to work and ping shows that the connection is
    > stable. But I then noticed the connection is very slow and several
    > services complained of connection failures. Running the test in SDM, I
    > get the following output:
    > "A ping with data size of this VPN interface MTU size and 'Do not
    > Fragment' bit set to the other end VPN device is failing. This may
    > happen if there is a lesser MTU network which drops the 'Do not
    > fragment' packets."
    > SDM also suggests I can use crypto ipsec df-bit clear to resolve this.
    > I tried lowering the MTU on the Cisco (issued ip mtu 1400 on the
    > Dialer0 interface) and also tried lowering the MTU on the Checkpoint
    > device but no still no success.
    >
    > Although I'm a software developer I'm not very familiar with CLI so
    > please don't be brief if you suggest making any changes on the
    > Cisco ;)
    > Here's the current config:
    > http://pastebin.com/m6785596
    >
    > Thanks in advance,
    >
    > Dan
     
    Thrill5, Jul 6, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mac

    l2tp fragmentation prob

    mac, Jul 11, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,436
    networkguy
    Jul 12, 2003
  2. Nick Bailey
    Replies:
    0
    Views:
    2,256
    Nick Bailey
    Oct 20, 2003
  3. Yang Jun
    Replies:
    6
    Views:
    28,453
    shope
    Dec 20, 2003
  4. corb
    Replies:
    3
    Views:
    3,026
    Kobe2k9
    May 13, 2009
  5. pasatealinux
    Replies:
    1
    Views:
    2,081
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page