• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1062
  • Last Modified:

VPN frame size

We have two sites connected over the internet , with an IPSEC vpn. There are ASAs on either side. The mtu has been hardcoded to 1500.  

Is this bad?  How much header size does IPSEC add to an ethernet frame? If regular ethernet frames are around 1518, what size are they after ipsec encapsulation?

  • 2
1 Solution


To set the maximum segment size, and thus prevent fragmentation, prevent the need for MTU path discovery, black hole routing, etc.:  

Cisco Router:
router (config)# interface type [slot_#/] port_#
router (config-if)# ip tcp adjust-mss MSS_Size_in_bytes

Cisco ASA/PIX:
security appliance (config)# sysopt connection tcp-mss MSS_size_in_bytes

Faruk Onder YerliOwnerCommented:
Dear Dissolved;

Normally internet MTU standard size is 1500 bytes. If you are using special L2 networks on your ISP, ISP has to support jumbo frame. If you are using tunnel packet header size can change according to tunnel type.

You may use below command
ip tcp adjust-mss 1460

The command will create fragmentation which packet is bigger than 1460. Finnally you will not receive any mtu problem on IPSEC.
dissolvedAuthor Commented:
ok, so what is best practices for MTu with regards to VPN?
The best thing I've found is to adjust the maximum segment size to about 1350.  It's a trade-off of slightly higher overhead, but much less work to find the "perfect" value.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now