[c-nsp] Windows IPSEC VPN Client MTU issues when connecting to IOS

Marc Haber mh+cisco-nsp at zugschlus.de
Sat Sep 4 02:25:26 EDT 2010


On Fri, Sep 03, 2010 at 08:01:30PM +0200, Andrew Miehs wrote:
> On 03.09.2010, at 18:03, Larry Smith <lesmith at ecsis.net> wrote:
> > On Fri September 3 2010 09:44, Marc Haber wrote:
> >> Do I have a possibility to reduce the MTU used by the client and/or to
> >> clamp the MSS to MTU on the IOS device (or by configuration passed
> >> from the IOS device to the client when the connection is being built),
> >> or do the Windows people have to reduce the client's MTU altogether?
> >> 
> > Is the problem the MTU, or is it really the DF bit being set on 
> > websites (that most likely don't need it, don't know their doing it,
> > and don't know how to fix it)...  You might try clearing the DF bit
> > on packets to the VPN tunnel and see if that "fixes" the problem
> > (or bypasses it at least)...  See this quite often on DSL and VPN
> > connections.
> 
> Do not clear the DF bit. There is obviously a device in the path
> dropping "evil" icmp packets - so either fix that -

Impossible, it's the firewall of the remote side which I do not control.

>  or clamp mss to something like 1420 to be safe.

Now we're back to my original question, which is quoted above.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190


More information about the cisco-nsp mailing list