[c-nsp] Windows IPSEC VPN Client MTU issues when connecting to IOS
Marc Haber
mh+cisco-nsp at zugschlus.de
Sat Sep 4 02:25:26 EDT 2010
On Fri, Sep 03, 2010 at 08:01:30PM +0200, Andrew Miehs wrote:
> On 03.09.2010, at 18:03, Larry Smith <lesmith at ecsis.net> wrote:
> > On Fri September 3 2010 09:44, Marc Haber wrote:
> >> Do I have a possibility to reduce the MTU used by the client and/or to
> >> clamp the MSS to MTU on the IOS device (or by configuration passed
> >> from the IOS device to the client when the connection is being built),
> >> or do the Windows people have to reduce the client's MTU altogether?
> >>
> > Is the problem the MTU, or is it really the DF bit being set on
> > websites (that most likely don't need it, don't know their doing it,
> > and don't know how to fix it)... You might try clearing the DF bit
> > on packets to the VPN tunnel and see if that "fixes" the problem
> > (or bypasses it at least)... See this quite often on DSL and VPN
> > connections.
>
> Do not clear the DF bit. There is obviously a device in the path
> dropping "evil" icmp packets - so either fix that -
Impossible, it's the firewall of the remote side which I do not control.
> or clamp mss to something like 1420 to be safe.
Now we're back to my original question, which is quoted above.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the cisco-nsp
mailing list