From: Jensen, Brian D. (bdjensen@eschelon.com)
Date: Thu May 15 2003 - 23:29:05 GMT-3
Hi Armand,
Youre getting the error most likely because your pix encountered packets
with the "do not fragment" bit set. Since the MTU of the ipsec tunnel is
effectively less than 1500 because of the overhead of the tunnel, you can do
several things: a) ignore the error, because the higher layers will take
care of the error b) set the mtu lower on your interface that's sending the
packets, or c) set the interface on your router to a lower MTU and let it
tell the sender to cut the packet size.
There might be others, but increasing the MTU beyond 1500 is not a good idea
for FE/E, as it will overflow the physical buffer space on most FE or E
network interfaces.
Thanks,
Brian
> -----Original Message-----
> From: Armand D [SMTP:ciscoworks2001@yahoo.com]
> Sent: Thursday, May 15, 2003 1:50 PM
> To: ccielab@groupstudy.com
> Subject: Tunnel IPSec between PIX to PIX
>
> Hi ,
>
> I created a IPsec tunnel between pix-1 and pix-2,
> sometimesIi receive these messagges through debug
> crypto ipsec.
>
> --snip--
> IPSEC(ipsec_prepare_encap_request): ERROR: unable to
> fragment packet pktsize=1500, eff_mtu = 1444
> --snip--
>
> It seems the effective MTU is 56 bytes less than the
> set MTU. I get this debug on packets between 1444 and
> 1500, so I set the MTU at 1556, but it doesn't seem to
> help things.
>
> Do anyone have any suggestions ? It would be greatly
> appriciated.
>
> Best,
>
> Armand
>
>
> http://mobile.yahoo.com.au - Yahoo! Mobile
> - Check & compose your email via SMS on your Telstra or Vodafone mobile.
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:44 GMT-3