Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
1
Helpful
3
Replies

Site to site VPN MTU

hmc2500
Level 1
Level 1

‎02-04-2024 07:48 AM

We had built a ipsec site to site VPN between 2 firewalls but had problems when the load gets above a certain threshold. When a certain load was reached almost no traffic was able to get through the tunnel.

Site1 <mtu 1492> ---------Internet-------------- <mtu 1444> Site2

 

Questions:

  • Could the MTU have been the problem?
  • What should have be the correct maximum size?
  • How does the ignore don't fragment bit affect the tunnel?
  • Should clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444? 
Labels:
3 Replies 3

tvotna
Spotlight
Spotlight

‎02-05-2024 06:30 AM

1. Yes, this can be MTU problem.

2. There is no such thing as "correct MTU". ASA/FTD firewalls support Path MTU Discovery (PMTUD) both between the sender and the firewall and between firewalls terminating IPSec tunnel. PMTUD relies on "ICMP unreachable fragmentation needed and DF set" messages. If they are blocked somewhere in the path, PMTUD fails and big packets can be lost. In this case you can clear DF bit on the firewall and fragment traffic.

3. The "crypto map <name> <priority> set df-bit clear" is sometimes used if PMTUD doesn't function, but fragmentation should typically be avoided as performance can drop a little bit. If traffic volume isn't huge, CPU shouldn't increase much on ASA/FTD fragmenting packets. If traffic is fragmented by ASA/FTD, the reassembly is performed by the receiving endpoint (e.g. by the server). If IPSec traffic is fragmented somewhere on the Internet, the reassembly is performed by the receiving ASA/FTD. This is a worst-case scenario, watch out reassembly drops ("show fragment"). The only other solution is to lower MTU on endpoints.

4. No, MTU discovery is supported by AnyConnect/ASA(FTD), but not in case of L2L.

 

0 Helpful

hmc2500
Level 1
Level 1

‎02-13-2024 10:06 AM - edited ‎02-13-2024 10:08 AM

One thing I have a hard time wrapping my mind around is, isn't fragmentation going to happen anyway (from client endpoints) no matter if you reduce the MTU size or not? 

And what would happen if you adjusted MTU/MSS on the nearest switch instead (closest to the firewall)?

0 Helpful

MHM Cisco World
VIP
VIP
In response to hmc2500

‎02-13-2024 10:31 AM

The IPsec use MTU path discovery tech which make it adjust the mtu of packet pass through tunnel 

This can show in 

Shwo crypto ipsec sa 

Check mtu size in both side.

And if the mtu is low can you check asa tcp mss is it 1500 or 1300? This can make issue also

MHM

0 Helpful
Customers Also Viewed These Support Documents