[c-nsp] Windows IPSEC VPN Client MTU issues when connecting to IOS
Andrew Miehs
andrew at 2sheds.de
Fri Sep 3 14:01:30 EDT 2010
On 03.09.2010, at 18:03, Larry Smith <lesmith at ecsis.net> wrote:
> On Fri September 3 2010 09:44, Marc Haber wrote:
>>
>>
>> Do I have a possibility to reduce the MTU used by the client and/or to
>> clamp the MSS to MTU on the IOS device (or by configuration passed
>> from the IOS device to the client when the connection is being built),
>> or do the Windows people have to reduce the client's MTU altogether?
>>
>>
>>
> Is the problem the MTU, or is it really the DF bit being set on
> websites (that most likely don't need it, don't know their doing it,
> and don't know how to fix it)... You might try clearing the DF bit
> on packets to the VPN tunnel and see if that "fixes" the problem
> (or bypasses it at least)... See this quite often on DSL and VPN
> connections.
Do not clear the DF bit. There is obviously a device in the path dropping "evil" icmp packets - so either fix that - or clamp mss to something like 1420 to be safe. UDP will probably still cause a problem
Regards
Andrew
More information about the cisco-nsp
mailing list