[vpn] MTU Problems

David McNeese dmcneese at lanl.gov
Wed Oct 3 17:13:37 EDT 2001

We have recently begun to have problems accessing some web sites via
our VPN connections.  We are using an Intel NetStructure as well as an
Intraport 2+ .  Here's what has started:

The VPN process must add some additional information to the headers of
each frame,  as a result the MTU is somewhat less than 1500 bytes.
There are several web sites (Yahoo in particular) that is sending data
to us in 1500 byte frames with the "Do Not Fragment Bit" set.  The
result is, our boxes throw the frames away because they aren't
allowed to fragment it.  A message (NACK) is send back to the website
requesting smaller frames (part of the RSVP protocol) or asking that
the "do not fragment bit" not be set.  We still get the 1500 byte
frames so the client can't get the page.

Has anybody else run into this?  Are you aware of a solution (it seems
to me it is a config problem at Yahoo)?


"Cheer up, things could be worse.  So
I cheered up and sure enough, things got worse."

David McNeese
CCN-5 Network Services Team
MS B255
505-667-5226 (voice)
dmcneese at lanl.gov

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list