Solved

CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Posted on 2010-11-16
6
1,517 Views
Last Modified: 2012-05-10
Good morning all,

I have set up a Cisco EZVPN between a Head-end Router and a Remote router and everything is working just fine except that when I console in the Remote router is get the following error:

% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

I have another EZVPN Remote router setup to the same head-end EZVPN Server and this doesn’t get the error although apart from the difference in Cisco hardware between the two Remote routers they are identical in config.

The router I have working is a Cisco 1811 running over Vodafone 3G network
The router I have working but have the error on is a Cisco 881W running over the Vodafone 3G network

Router is in good coverage area for 3G and uses IPsec over a GRE Tunnel to communicate directly with the head-end EZVPN Router which is a Cisco 2800 series

Any help with this would be much appreciated

Many thanks
David
0
Comment
Question by:Dave_Mitchell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 34144332
0
 
LVL 1

Expert Comment

by:danielc25
ID: 34170333
What is the MTU set at on the working router?
0
 

Author Comment

by:Dave_Mitchell
ID: 34203356
From original working router

Interface Tunnel 0
Bandwidth 512
ip unnumbered Loopbacl 0
ip mtu 1420
ip tcp adjust-mss 1350
keepalive 10 3
tunnel source loopback1
tunel destination 217.x.x.x
tunnel path-mtu-discovery

Thanks

David
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 1

Accepted Solution

by:
danielc25 earned 500 total points
ID: 34203836
% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Does this message have a MTU value after the tl=1420?  If not I would start by lowering the MTU and MSS value on the tunnel interface until you no longer receive this message. I would start with setting the MTU to 1320 and the MMS value to 1240.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Good luck!
0
 

Author Comment

by:Dave_Mitchell
ID: 34317753
Thanks Daniel, very useful document
0
 

Author Closing Comment

by:Dave_Mitchell
ID: 34317762
Had to read up on quite a bit before determining if the answer provided was feasible and it was.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help Skype for Business keeps dropping 7 100
VPN connection 7 54
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 139
SSL-VPN 1 91
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question