TCPIP MTU settings

jason.dowd at us.pwcglobal.com jason.dowd at us.pwcglobal.com
Mon Jul 19 16:29:27 EDT 1999


Guy,

Yes, this is a very common problem that I have seen with several IPSec
gateway devices. Many OSs and application servers like to set the don't
fragment bit in their IP headers. As IPSec encapsulation makes packets
longer, if the IPSec gateways carry over the enforcement of the don't
fragment bit to the larger packet, it is quite common for the packet to
grow to a size that makes it impossible to transmit. For whatever reason
the gateways either do not send a "fragmentation needed" message to the
originating host or the host does not respond correctly to this message.
This problem is most easily solved by hunting through the configuration of
your IPSec device and looking for an option labeled "Don't copy don't
fragment bits to outer headers" or some such, and activating it. This will
relieve you of the necessity of having to reconfigure the MTU on all of
your servers. If no such option exists, contact the vendor and tell them to
include one in the future :  )

This problem can be quite a show stopper.

Jason Dowd
Senior Associate
PricewaterhouseCoopers




guy.raymakers at europe.eds.com on 07/19/99 03:36:58 AM
To:   vpn at listserv.secnetgroup.com
cc:
Subject:  TCPIP MTU settings







Hi,

We have discovered following problem

The remote network (offices) have a NT server and an IPsec enabled router.
The
router encapsulates the TCP/IP packets into IPsec packets.  When using the
default tcpip MTU ( = 1500), on the NT server,  we get problems when doing
file
transfers. When we lower the tcpip MTU to 1444 we don't have these
problems.
The remote office ISP is a different one then our ISP.

Does anyone had similar experiences ?

regards,
Guy


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************


----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list