CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Good morning all,

I have set up a Cisco EZVPN between a Head-end Router and a Remote router and everything is working just fine except that when I console in the Remote router is get the following error:

% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

I have another EZVPN Remote router setup to the same head-end EZVPN Server and this doesn’t get the error although apart from the difference in Cisco hardware between the two Remote routers they are identical in config.

The router I have working is a Cisco 1811 running over Vodafone 3G network
The router I have working but have the error on is a Cisco 881W running over the Vodafone 3G network

Router is in good coverage area for 3G and uses IPsec over a GRE Tunnel to communicate directly with the head-end EZVPN Router which is a Cisco 2800 series

Any help with this would be much appreciated

Many thanks
David
Dave_MitchellAsked:
Who is Participating?
 
danielc25Commented:
% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Does this message have a MTU value after the tl=1420?  If not I would start by lowering the MTU and MSS value on the tunnel interface until you no longer receive this message. I would start with setting the MTU to 1320 and the MMS value to 1240.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Good luck!
0
 
danielc25Commented:
What is the MTU set at on the working router?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Dave_MitchellAuthor Commented:
From original working router

Interface Tunnel 0
Bandwidth 512
ip unnumbered Loopbacl 0
ip mtu 1420
ip tcp adjust-mss 1350
keepalive 10 3
tunnel source loopback1
tunel destination 217.x.x.x
tunnel path-mtu-discovery

Thanks

David
0
 
Dave_MitchellAuthor Commented:
Thanks Daniel, very useful document
0
 
Dave_MitchellAuthor Commented:
Had to read up on quite a bit before determining if the answer provided was feasible and it was.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.