Solved

CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Posted on 2010-11-16
6
1,543 Views
Last Modified: 2012-05-10
Good morning all,

I have set up a Cisco EZVPN between a Head-end Router and a Remote router and everything is working just fine except that when I console in the Remote router is get the following error:

% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

I have another EZVPN Remote router setup to the same head-end EZVPN Server and this doesn’t get the error although apart from the difference in Cisco hardware between the two Remote routers they are identical in config.

The router I have working is a Cisco 1811 running over Vodafone 3G network
The router I have working but have the error on is a Cisco 881W running over the Vodafone 3G network

Router is in good coverage area for 3G and uses IPsec over a GRE Tunnel to communicate directly with the head-end EZVPN Router which is a Cisco 2800 series

Any help with this would be much appreciated

Many thanks
David
0
Comment
Question by:Dave_Mitchell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 34144332
0
 
LVL 1

Expert Comment

by:danielc25
ID: 34170333
What is the MTU set at on the working router?
0
 

Author Comment

by:Dave_Mitchell
ID: 34203356
From original working router

Interface Tunnel 0
Bandwidth 512
ip unnumbered Loopbacl 0
ip mtu 1420
ip tcp adjust-mss 1350
keepalive 10 3
tunnel source loopback1
tunel destination 217.x.x.x
tunnel path-mtu-discovery

Thanks

David
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 1

Accepted Solution

by:
danielc25 earned 500 total points
ID: 34203836
% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Does this message have a MTU value after the tl=1420?  If not I would start by lowering the MTU and MSS value on the tunnel interface until you no longer receive this message. I would start with setting the MTU to 1320 and the MMS value to 1240.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Good luck!
0
 

Author Comment

by:Dave_Mitchell
ID: 34317753
Thanks Daniel, very useful document
0
 

Author Closing Comment

by:Dave_Mitchell
ID: 34317762
Had to read up on quite a bit before determining if the answer provided was feasible and it was.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question