From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Mon Jul 25 2005 - 14:57:53 GMT-3
Generally speaking, even though you say ICMP goes clean through, I doubt if
Path MTU Discovery works much in the real world as so many ISPs now block
ICMP or at least a subset of it. So are you sure all ICMP is allowed or
just sure about some of it? You would need to be sure ICMP "can't fragment"
error messages (type 3, code 4) are getting through in order for PMTUD to
function.
My current situation requires me to turn off PMTUD and set the MTU down to
1300 (which we determined by lengthy testing - ymmv) and force fragmentation
(ignore the DF bit) when needed. It's not the most elegant solution but it
works for us now with the ISPs we use. For the record, I don't like these
settings but for the moment have no choice. In the past, when I was a
contractor, I was setting up VPNs left and right and rarely if ever had MTU
problems with the Cisco defaults. My experience with my current employer
has been quite different evidenced by the results I wrote above.
Rik
-----Original Message-----
From: buesink@fma.nl [mailto:buesink@fma.nl]
Sent: Monday, July 25, 2005 1:20 PM
To: ccielab@groupstudy.com
Subject: VPN mtu problem
Hi Guys,
I have hosts in a vlan on the 6500 (mtu 1500) and I have hosts on the 2800.
They are connected with a tunnel, over this tunnel I'm running ipsec.
When copying LARGE files I run into troubles (slow traffic).
I'm sure the ICMP is permitted on all directions (PMTUD)
Could you please help me on this one:
hosts <--6500 --3750--(internet)--3750--2800--> hosts
tunnel/gre ------------------------tunnel/gre
incoming interface mtu on 6500 = 1500 (where hosts reside) incoming
interface mtu on 2800 = 1500 (where hosts reside)
Tunnel interfaces on 6500 & 2000 are using "ip mtu 1440", since I use "mode
transport" with the tranform statement (crypto) for ipsec.
And cisco recommends this "tranport mode" since we are running ipsec over
tunnel
When I debug icmp, I see ICMP redirects code 3 type 4 (DF bit set), from
hosts on the 2800 sending to the 6500 hosts.. I think this is normal,
because their doing PMTUD.
But large file copies (20 MB = 30 minutes) are having problems over this
link, NOTE this link is 1 Gigabit (from 3750 to 3750 = internet connection).
Could this be MTU related, or am I searching in the wrong direction?
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3