Solved

VPN frame size

Posted on 2009-04-09
4
1,009 Views
Last Modified: 2012-05-06
We have two sites connected over the internet , with an IPSEC vpn. There are ASAs on either side. The mtu has been hardcoded to 1500.  

Is this bad?  How much header size does IPSEC add to an ethernet frame? If regular ethernet frames are around 1518, what size are they after ipsec encapsulation?

thanks
0
Comment
Question by:dissolved
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24108588
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml



To set the maximum segment size, and thus prevent fragmentation, prevent the need for MTU path discovery, black hole routing, etc.:  

Cisco Router:
router (config)# interface type [slot_#/] port_#
router (config-if)# ip tcp adjust-mss MSS_Size_in_bytes

Cisco ASA/PIX:
security appliance (config)# sysopt connection tcp-mss MSS_size_in_bytes



0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 24108667
Dear Dissolved;

Normally internet MTU standard size is 1500 bytes. If you are using special L2 networks on your ISP, ISP has to support jumbo frame. If you are using tunnel packet header size can change according to tunnel type.

You may use below command
ip tcp adjust-mss 1460

The command will create fragmentation which packet is bigger than 1460. Finnally you will not receive any mtu problem on IPSEC.
0
 

Author Comment

by:dissolved
ID: 24109090
ok, so what is best practices for MTu with regards to VPN?
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 24109150
The best thing I've found is to adjust the maximum segment size to about 1350.  It's a trade-off of slightly higher overhead, but much less work to find the "perfect" value.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question