Solved

VPN frame size

Posted on 2009-04-09
4
1,013 Views
Last Modified: 2012-05-06
We have two sites connected over the internet , with an IPSEC vpn. There are ASAs on either side. The mtu has been hardcoded to 1500.  

Is this bad?  How much header size does IPSEC add to an ethernet frame? If regular ethernet frames are around 1518, what size are they after ipsec encapsulation?

thanks
0
Comment
Question by:dissolved
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24108588
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml



To set the maximum segment size, and thus prevent fragmentation, prevent the need for MTU path discovery, black hole routing, etc.:  

Cisco Router:
router (config)# interface type [slot_#/] port_#
router (config-if)# ip tcp adjust-mss MSS_Size_in_bytes

Cisco ASA/PIX:
security appliance (config)# sysopt connection tcp-mss MSS_size_in_bytes



0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 24108667
Dear Dissolved;

Normally internet MTU standard size is 1500 bytes. If you are using special L2 networks on your ISP, ISP has to support jumbo frame. If you are using tunnel packet header size can change according to tunnel type.

You may use below command
ip tcp adjust-mss 1460

The command will create fragmentation which packet is bigger than 1460. Finnally you will not receive any mtu problem on IPSEC.
0
 

Author Comment

by:dissolved
ID: 24109090
ok, so what is best practices for MTu with regards to VPN?
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 24109150
The best thing I've found is to adjust the maximum segment size to about 1350.  It's a trade-off of slightly higher overhead, but much less work to find the "perfect" value.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question