Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Posted on 2010-11-16
6
Medium Priority
?
1,584 Views
Last Modified: 2012-05-10
Good morning all,

I have set up a Cisco EZVPN between a Head-end Router and a Remote router and everything is working just fine except that when I console in the Remote router is get the following error:

% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

I have another EZVPN Remote router setup to the same head-end EZVPN Server and this doesn’t get the error although apart from the difference in Cisco hardware between the two Remote routers they are identical in config.

The router I have working is a Cisco 1811 running over Vodafone 3G network
The router I have working but have the error on is a Cisco 881W running over the Vodafone 3G network

Router is in good coverage area for 3G and uses IPsec over a GRE Tunnel to communicate directly with the head-end EZVPN Router which is a Cisco 2800 series

Any help with this would be much appreciated

Many thanks
David
0
Comment
Question by:Dave_Mitchell
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 34144332
0
 
LVL 1

Expert Comment

by:danielc25
ID: 34170333
What is the MTU set at on the working router?
0
 

Author Comment

by:Dave_Mitchell
ID: 34203356
From original working router

Interface Tunnel 0
Bandwidth 512
ip unnumbered Loopbacl 0
ip mtu 1420
ip tcp adjust-mss 1350
keepalive 10 3
tunnel source loopback1
tunel destination 217.x.x.x
tunnel path-mtu-discovery

Thanks

David
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 1

Accepted Solution

by:
danielc25 earned 1500 total points
ID: 34203836
% CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1420

Does this message have a MTU value after the tl=1420?  If not I would start by lowering the MTU and MSS value on the tunnel interface until you no longer receive this message. I would start with setting the MTU to 1320 and the MMS value to 1240.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Good luck!
0
 

Author Comment

by:Dave_Mitchell
ID: 34317753
Thanks Daniel, very useful document
0
 

Author Closing Comment

by:Dave_Mitchell
ID: 34317762
Had to read up on quite a bit before determining if the answer provided was feasible and it was.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question