Solved

VPN frame size

Posted on 2009-04-09
4
1,003 Views
Last Modified: 2012-05-06
We have two sites connected over the internet , with an IPSEC vpn. There are ASAs on either side. The mtu has been hardcoded to 1500.  

Is this bad?  How much header size does IPSEC add to an ethernet frame? If regular ethernet frames are around 1518, what size are they after ipsec encapsulation?

thanks
0
Comment
Question by:dissolved
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24108588
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml



To set the maximum segment size, and thus prevent fragmentation, prevent the need for MTU path discovery, black hole routing, etc.:  

Cisco Router:
router (config)# interface type [slot_#/] port_#
router (config-if)# ip tcp adjust-mss MSS_Size_in_bytes

Cisco ASA/PIX:
security appliance (config)# sysopt connection tcp-mss MSS_size_in_bytes



0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 24108667
Dear Dissolved;

Normally internet MTU standard size is 1500 bytes. If you are using special L2 networks on your ISP, ISP has to support jumbo frame. If you are using tunnel packet header size can change according to tunnel type.

You may use below command
ip tcp adjust-mss 1460

The command will create fragmentation which packet is bigger than 1460. Finnally you will not receive any mtu problem on IPSEC.
0
 

Author Comment

by:dissolved
ID: 24109090
ok, so what is best practices for MTu with regards to VPN?
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 24109150
The best thing I've found is to adjust the maximum segment size to about 1350.  It's a trade-off of slightly higher overhead, but much less work to find the "perfect" value.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now