[vpn] MTU Problems

Sandy Harris sandy at storm.ca
Wed Oct 3 23:55:32 EDT 2001

David McNeese wrote:
> We have recently begun to have problems accessing some web sites via
> our VPN connections.  We are using an Intel NetStructure as well as an
> Intraport 2+ .  Here's what has started:
> The VPN process must add some additional information to the headers of
> each frame,  as a result the MTU is somewhat less than 1500 bytes.
> There are several web sites (Yahoo in particular) that is sending data
> to us in 1500 byte frames with the "Do Not Fragment Bit" set.  The
> result is, our boxes throw the frames away because they aren't
> allowed to fragment it.  A message (NACK) is send back to the website
> requesting smaller frames (part of the RSVP protocol)

My understanding is that you should send an ICMP packet.

> or asking that
> the "do not fragment bit" not be set.  We still get the 1500 byte
> frames so the client can't get the page.
> Has anybody else run into this?  Are you aware of a solution (it seems
> to me it is a config problem at Yahoo)?

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list