VPN frame size

We have two sites connected over the internet , with an IPSEC vpn. There are ASAs on either side. The mtu has been hardcoded to 1500.  

Is this bad?  How much header size does IPSEC add to an ethernet frame? If regular ethernet frames are around 1518, what size are they after ipsec encapsulation?

Who is Participating?
asavenerConnect With a Mentor Commented:
The best thing I've found is to adjust the maximum segment size to about 1350.  It's a trade-off of slightly higher overhead, but much less work to find the "perfect" value.


To set the maximum segment size, and thus prevent fragmentation, prevent the need for MTU path discovery, black hole routing, etc.:  

Cisco Router:
router (config)# interface type [slot_#/] port_#
router (config-if)# ip tcp adjust-mss MSS_Size_in_bytes

Cisco ASA/PIX:
security appliance (config)# sysopt connection tcp-mss MSS_size_in_bytes

Faruk Onder YerliOwnerCommented:
Dear Dissolved;

Normally internet MTU standard size is 1500 bytes. If you are using special L2 networks on your ISP, ISP has to support jumbo frame. If you are using tunnel packet header size can change according to tunnel type.

You may use below command
ip tcp adjust-mss 1460

The command will create fragmentation which packet is bigger than 1460. Finnally you will not receive any mtu problem on IPSEC.
dissolvedAuthor Commented:
ok, so what is best practices for MTu with regards to VPN?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.