RE: CISCO VPN Concentrator and setting MTU per VPN Conne ction

[TSimons () Delphi-Tech com]

Wade-
Where are you changing the MTU?  ...I just went through this with different
hardware, it turned out we needed to change the MTU of the hosts that would
be using the VPN.

If Packet = x bytes

Local LAN Packet:       x
VPN Packet:     x + vpn header

In our case, any value of x < 1410, yielded fragmented packets through the
VPN. 

<snip from another article>
"...Unfortunately, the length of header+pad seems to depend on the data
being encrypted, as well as the crypto algorithm.  Perhaps a good rough
figure is just to adjust down by 40 bytes (outer IP + 20 bytes of ESP
header/pad)."

~Todd
-----Original Message-----
From: Wade Burgett [mailto:wadeb () burgettsys com]
Sent: Friday, September 05, 2003 4:05 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] CISCO VPN Concentrator and setting MTU per VPN
Connection


I'm working one end of a VPN performance problem that seems to be MTU 
and fragmentation related.  My end is a CISCO Hardware VPN 3002 client.  
The other end is a CISCO VPN Concentrator. 

I recommended lowering the MTU setting on both ends and then testing.  
But the admin on the VPN Concentrator end just told me it is impossible 
to change the MTU for a paritcular tunnel, that you can only change the 
MTU for all the tunnels, and there are several other remote sites.

Is this true?  Is there any way around this?

Thanks

Wade

-- 
Wade Burgett
wadeb () burgettsys com
(512)-796-7070
(503)-756-5633

Burgett Systems
http://www.burgettsys.com

ELIMINATE EMAIL VIRUSES - Use Linux


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards