Solved

CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Posted on 2010-11-16
6
1,500 Views
Last Modified: 2012-05-10
Good morning all,

I have set up a Cisco EZVPN between a Head-end Router and a Remote router and everything is working just fine except that when I console in the Remote router is get the following error:

% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

I have another EZVPN Remote router setup to the same head-end EZVPN Server and this doesn’t get the error although apart from the difference in Cisco hardware between the two Remote routers they are identical in config.

The router I have working is a Cisco 1811 running over Vodafone 3G network
The router I have working but have the error on is a Cisco 881W running over the Vodafone 3G network

Router is in good coverage area for 3G and uses IPsec over a GRE Tunnel to communicate directly with the head-end EZVPN Router which is a Cisco 2800 series

Any help with this would be much appreciated

Many thanks
David
0
Comment
Question by:Dave_Mitchell
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 34144332
0
 
LVL 1

Expert Comment

by:danielc25
ID: 34170333
What is the MTU set at on the working router?
0
 

Author Comment

by:Dave_Mitchell
ID: 34203356
From original working router

Interface Tunnel 0
Bandwidth 512
ip unnumbered Loopbacl 0
ip mtu 1420
ip tcp adjust-mss 1350
keepalive 10 3
tunnel source loopback1
tunel destination 217.x.x.x
tunnel path-mtu-discovery

Thanks

David
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 1

Accepted Solution

by:
danielc25 earned 500 total points
ID: 34203836
% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Does this message have a MTU value after the tl=1420?  If not I would start by lowering the MTU and MSS value on the tunnel interface until you no longer receive this message. I would start with setting the MTU to 1320 and the MMS value to 1240.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Good luck!
0
 

Author Comment

by:Dave_Mitchell
ID: 34317753
Thanks Daniel, very useful document
0
 

Author Closing Comment

by:Dave_Mitchell
ID: 34317762
Had to read up on quite a bit before determining if the answer provided was feasible and it was.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question