Re: ipsec over isdn

From: Ed Hood (ed@thehoods.cc)
Date: Fri Apr 04 2003 - 00:51:30 GMT-3

• Next message: Mike Williams: "RE: configuring PBR on catalyst 4006 with IOS 12.1(13)"
• Previous message: tan: "RE: VOICE Feature Questions"
• Maybe in reply to: cdmurray@statestreet.com: "ipsec over isdn"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Make sure you are setting the IP MTU and not the interface MTU size. This
may or may not fix your problem depending on what the cause is. But I would
start here. I believe (you may want to look this up) it should be 1460
unless you are running GRE over the ISDN tunnel then it should be 1400. You
may experience slow performance at first accessing the server until the TCP
session adjusts the MSS size down when ICMP too big packets are sent back to
the server (assuming it is setting the don't fragment bit.). You may want
to also use the IP TCP adjust-mss xxxx. Where xxxx = IP MTU - 40 bytes for
the header. If the TCP session goes through a firewall that blocks ICMP
messages you will have to use this command or configure the
server/workstation for a smaller MSS size.

example
interface bri0
ip mtu 1460
ip tcp adjust-mss 1420
! or
interface Tunnel10
ip mtu 1400
ip tcp adjust-mss 1360

Ed Hood
Sr. Network Engineer
CCDP, CCNP
(636) 827-6921
(314) 303-7910 mobile
mailto: ed.hood@maritz.com
http://www.maritz.com

----- Original Message -----
From: <cdmurray@statestreet.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, April 03, 2003 6:10 PM
Subject: ipsec over isdn

> Has anyone encountered performance issues using an ipsec tunnel
> over isdn , without adjusting the server mtu , but allowing defrag on
> packets
> that use ipsec tunnel.
>
> I have been given a number of options such as "specifiying mtu size" on
the
> router ethernet interface but I get and error "fastethernet 0/0 does not
> support user settable mtu".
>
>
> Regards,
> Christine Murray
> Ph: 612-93236124
> cdmurray@statestreet.com
>
>
>
> Confidentiality Notice:
>
****************************************************************************
**********************************************
>
> The information contained in the email is intended for the confidential
use
> of the above-named recipient.
> If the reader of this message is not the intended recipient or person
> responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> communication in error, and that
> any review, dissemination, distribution, or copying of this communication
> is strictly prohibited.
> If you have received this in error, please notify the sender immediately
> and destroy this message.
>
****************************************************************************
**********************************************

• Next message: Mike Williams: "RE: configuring PBR on catalyst 4006 with IOS 12.1(13)"
• Previous message: tan: "RE: VOICE Feature Questions"
• Maybe in reply to: cdmurray@statestreet.com: "ipsec over isdn"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:46 GMT-3